Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WIN_SCM_RDM_INSTALL_4.0.4.0.EXE

Overview

General Information

Sample name:WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Analysis ID:1546329
MD5:c20f986ed82e351e90b8a8140ccbf8e9
SHA1:9b62da430088fb0a73deaa8fb99ca7df89ffc0b2
SHA256:d8475f7c55ff4a9e40c2593b477d2bed7d7c3e8f79ef3eed64a61794b328f130
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:51
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Found stalling execution ending in API Sleep call
Installs new ROOT certificates
Overwrites Mozilla Firefox settings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • WIN_SCM_RDM_INSTALL_4.0.4.0.EXE (PID: 5028 cmdline: "C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE" MD5: C20F986ED82E351E90B8A8140CCBF8E9)
    • WIN_SCM_RDM_INSTALL_4.0.4.0.tmp (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp" /SL5="$203DA,40682831,788480,C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE" MD5: C2B12368174C2843B050C1000CD7A7F3)
      • WIN_DA_Install_4.0.4.0.exe (PID: 6336 cmdline: "C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART MD5: FAC28B29942B43B885400CCBCBC47C06)
        • WIN_DA_INSTALL_4.0.4.0.tmp (PID: 5432 cmdline: "C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$1044C,20499878,788480,C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART MD5: 895924B96B8B7BC52781E921E0AB93B8)
          • net.exe (PID: 3432 cmdline: "C:\Windows\system32\net.exe" stop RDMAppweb MD5: 31890A7DE89936F922D44D677F681A7F)
            • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net1.exe (PID: 2192 cmdline: C:\Windows\system32\net1 stop RDMAppweb MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
          • cmd.exe (PID: 5552 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 3320 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • cmd.exe (PID: 3652 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 3704 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • rdmappweb-4.6.0-ms-windows-x86.exe (PID: 6496 cmdline: "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT MD5: 8DFECDDDB51D01D40B8FC278AE3C555C)
            • rdmappweb-4.6.0-ms-windows-x86.tmp (PID: 2800 cmdline: "C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp" /SL5="$104A6,6322833,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT MD5: 62B4483DC79B5846006C0C644B51FE6C)
              • RDMAppman.exe (PID: 3476 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstall MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
              • RDMAppman.exe (PID: 5700 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" install enable MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
              • RDMAppman.exe (PID: 2300 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" start MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
          • net.exe (PID: 3468 cmdline: "C:\Windows\system32\net.exe" stop RDMAppweb MD5: 31890A7DE89936F922D44D677F681A7F)
            • conhost.exe (PID: 504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net1.exe (PID: 5032 cmdline: C:\Windows\system32\net1 stop RDMAppweb MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
          • cmd.exe (PID: 1416 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 1780 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • vcredist_x86.exe (PID: 3320 cmdline: "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe" /q MD5: B88228D5FEF4B6DC019D69D4471F23EC)
            • Setup.exe (PID: 6864 cmdline: c:\1be23190e4cbe7570e736d15\Setup.exe /q MD5: 006F8A615020A4A17F5E63801485DF46)
          • RDM_ROOT_CERTIFICATE.exe (PID: 3476 cmdline: "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART MD5: DBC54A8343ACC3271098DD7F2E5B7345)
            • RDM_ROOT_CERTIFICATE.tmp (PID: 5692 cmdline: "C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$504A4,6221732,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART MD5: 3E828ACD7AFDC653C0E0CA4F00A876C6)
              • certmgr.exe (PID: 1012 cmdline: "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/CertMgr.exe" -add -all -c rdmroot.pem -s -r localmachine Root MD5: 5D077A0CDD077C014EEDB768FEB249BA)
                • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 3192 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • cmd.exe (PID: 5208 cmdline: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • certutil.exe (PID: 4024 cmdline: "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\." -i "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" MD5: 0C6B43C9602F4D5AC9DCF907103447C4)
          • regsvr32.exe (PID: 5760 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
          • net.exe (PID: 1976 cmdline: "C:\Windows\system32\net.exe" stop RDMAppweb MD5: 31890A7DE89936F922D44D677F681A7F)
            • conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net1.exe (PID: 1460 cmdline: C:\Windows\system32\net1 stop RDMAppweb MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
          • cmd.exe (PID: 7080 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 3380 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • RDMAppman.exe (PID: 6104 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" start MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
          • cmd.exe (PID: 6192 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 2012 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • cmd.exe (PID: 2016 cmdline: "cmd.exe" /C taskkill /F /IM "RDMAppman.exe" /T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 3576 cmdline: taskkill /F /IM "RDMAppman.exe" /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
          • net.exe (PID: 3184 cmdline: "C:\Windows\system32\net.exe" start RdmAppweb MD5: 31890A7DE89936F922D44D677F681A7F)
            • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net1.exe (PID: 3460 cmdline: C:\Windows\system32\net1 start RdmAppweb MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • WIN_SCM_Support_4.0.3.1.exe (PID: 5872 cmdline: "C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART MD5: A1234F8D3A7122BE13679CFA0D9EB3E6)
  • RDMAppman.exe (PID: 5824 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe" MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
    • RDMAppweb.exe (PID: 1460 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe" MD5: BA232235CDE212CF4900B84C7BF1CC0E)
      • conhost.exe (PID: 1824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msiexec.exe (PID: 6140 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • RDMAppman.exe (PID: 5648 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe" MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
    • RDMAppweb.exe (PID: 5552 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe" MD5: BA232235CDE212CF4900B84C7BF1CC0E)
      • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"", CommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$504A4,6221732,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp, ParentProcessId: 5692, ParentProcessName: RDM_ROOT_CERTIFICATE.tmp, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"", ProcessId: 3192, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"", CommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$504A4,6221732,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp, ParentProcessId: 5692, ParentProcessName: RDM_ROOT_CERTIFICATE.tmp, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"", ProcessId: 3192, ProcessName: cmd.exe
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\." -i "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem", CommandLine: "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\." -i "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3192, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\." -i "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem", ProcessId: 4024, ProcessName: certutil.exe
Sigma detected: Local Accounts Discovery
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", CommandLine: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3192, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", ProcessId: 5208, ProcessName: cmd.exe
Sigma detected: Net.exe Execution
Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\system32\net.exe" stop RDMAppweb, CommandLine: "C:\Windows\system32\net.exe" stop RDMAppweb, CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$1044C,20499878,788480,C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp, ParentProcessId: 5432, ParentProcessName: WIN_DA_INSTALL_4.0.4.0.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" stop RDMAppweb, ProcessId: 3432, ProcessName: net.exe
Sigma detected: Start Windows Service Via Net.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\net.exe" start RdmAppweb, CommandLine: "C:\Windows\system32\net.exe" start RdmAppweb, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$1044C,20499878,788480,C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp, ParentProcessId: 5432, ParentProcessName: WIN_DA_INSTALL_4.0.4.0.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" start RdmAppweb, ProcessId: 3184, ProcessName: net.exe
Sigma detected: Stop Windows Service Via Net.EXE
Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\net.exe" stop RDMAppweb, CommandLine: "C:\Windows\system32\net.exe" stop RDMAppweb, CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$1044C,20499878,788480,C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp, ParentProcessId: 5432, ParentProcessName: WIN_DA_INSTALL_4.0.4.0.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" stop RDMAppweb, ProcessId: 3432, ProcessName: net.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-31T19:35:23.926818+010020229301A Network Trojan was detected4.175.87.197443192.168.2.649766TCP
2024-10-31T19:36:02.122625+010020229301A Network Trojan was detected4.175.87.197443192.168.2.649957TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEAvira: detected
Multi AV Scanner detection for submitted file
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8EBDF0 mprGetRandomString,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,mprError,gettimeofday,_getpid,16_2_6C8EBDF0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8EC630 mprCryptPassword,sfmt,mprEncode64Block,16_2_6C8EC630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8EC7A0 mprMakeSalt,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,16_2_6C8EC7A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8EC880 mprMakePassword,mprMakeSalt,mprCryptPassword,sfmt,16_2_6C8EC880
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D98C0 mprGetRandomBytes,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,16_2_6C8D98C0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8EC8F0 mprCheckPassword,sclone,stok,stok,stok,stok,atoi,mprCryptPassword,slen,slen,16_2_6C8EC8F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C82BDF0 mprGetRandomString,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,mprError,gettimeofday,_getpid,17_2_6C82BDF0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C82C630 mprCryptPassword,sfmt,mprEncode64Block,17_2_6C82C630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C82C7A0 mprMakeSalt,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,17_2_6C82C7A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C82C880 mprMakePassword,mprMakeSalt,mprCryptPassword,sfmt,17_2_6C82C880
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8198C0 mprGetRandomBytes,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,17_2_6C8198C0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C82C8F0 mprCheckPassword,sclone,stok,stok,stok,stok,atoi,mprCryptPassword,slen,slen,17_2_6C82C8F0

Compliance

barindex
Uses 32bit PE files
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Creates a directory in C:\Program Files
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-86JQL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-0SBL0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\is-GU0VV.tmp
Creates install or setup log file
Source: C:\1be23190e4cbe7570e736d15\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20241031_143528385-MSI_vc_red.msi.txt
Creates license or readme file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1033\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1041\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1042\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1028\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\2052\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1040\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1036\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1031\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\3082\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1049\eula.rtf
PE / OLE file has a valid certificate
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: certificate valid
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeFile opened: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\MSVCR100.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: C:\Home\user\zlib-1.2.5\zlib1.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sfxcab.pdb source: vcredist_x86.exe, 0000001D.00000000.2328115444.0000000001002000.00000020.00000001.01000000.00000017.sdmp, vcredist_x86.exe, 0000001D.00000002.2426660988.0000000001002000.00000020.00000001.01000000.00000017.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\RDMDA\Services\Win\RDMDAService\Release\RDMUtil.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000562C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MFCM100U.i386.pdb source: mfcm100u.dll.31.dr
Source: Binary string: c:\openssl-1.0.1h\out32dll\libeay32.pdbLm source: is-RDHNK.tmp.15.dr
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\RDMDA\Services\Win\RDMDAService\Release\RDMUtil.pdb0p@ source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000562C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMDAWrap\Release\RDMDAWrap.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMDAWrap\Release\RDMDAWrap.pdb$P source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: patchhooks.pdb source: 495214.msi.31.dr
Source: Binary string: c:\openssl-1.0.1h\out32dll\libeay32.pdb source: is-RDHNK.tmp.15.dr
Source: Binary string: EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib6)\a source: RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Setup.pdb source: Setup.exe, 0000001E.00000000.2349500285.0000000000801000.00000020.00000001.01000000.00000018.sdmp, Setup.exe, 0000001E.00000002.2420145503.0000000000801000.00000020.00000001.01000000.00000018.sdmp
Source: Binary string: #EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MDd -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcr100.i386.pdb source: RDMAppman.exe, RDMAppman.exe, 00000011.00000002.2280534298.000000006C851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000012.00000002.2283501761.000000006C851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000013.00000002.2297957399.000000006C851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppweb.exe, 00000014.00000002.2294670773.000000006C851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000030.00000002.2510791781.000000006C491000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000031.00000002.2543935184.000000006C491000.00000020.00000001.01000000.0000000F.sdmp, RDMAppweb.exe, 00000032.00000002.2545500479.000000006C491000.00000020.00000001.01000000.0000000F.sdmp, is-DTEOI.tmp.15.dr
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile"${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile"${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sqmapi.pdb source: Setup.exe, 0000001E.00000002.2424852931.000000006C371000.00000020.00000001.01000000.0000001A.sdmp
Source: Binary string: Setupuser.pdb source: Setup.exe, 0000001E.00000002.2425333406.000000006C641000.00000020.00000001.01000000.00000019.sdmp
Source: Binary string: #EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MDd -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}"@ source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: atl100.i386.pdb source: atl100.dll.31.dr
Source: Binary string: patchhooks.pdbX source: 495214.msi.31.dr
Source: Binary string: MFCM100U.i386.pdb00 source: mfcm100u.dll.31.dr
Source: Binary string: SetupResources.pdb source: SetupResources.dll6.29.dr, SetupResources.dll0.29.dr
Source: Binary string: SetupUi.pdb source: SetupUi.dll.29.dr
Source: Binary string: "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\SysWOW64\cmd.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00476120 FindFirstFileA,FindNextFileA,FindClose,15_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004531A4 FindFirstFileA,GetLastError,15_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,15_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,15_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00463344 FindFirstFileA,FindNextFileA,FindClose,15_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,15_2_0049998C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C870CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C870CBB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,16_2_6C86CC23
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C87088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C87088A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,16_2_6C86C8FD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86E0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,16_2_6C86E0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8381A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C8381A1
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86FF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C86FF0E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86F9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C86F9DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86DBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,16_2_6C86DBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86F593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C86F593
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86D687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,16_2_6C86D687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C87110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C87110C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86F169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C86F169
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8F5FA0 mprCreateList,mprJoinPath,FindFirstFileA,memcpy,fmt,mprAddItem,FindNextFileA,FindClose,16_2_6C8F5FA0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C835FA0 mprCreateList,mprJoinPath,FindFirstFileA,memcpy,fmt,mprAddItem,FindNextFileA,FindClose,17_2_6C835FA0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8B0CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8B0CBB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8ACC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,17_2_6C8ACC23
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8B088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8B088A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,17_2_6C8AC8FD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AE0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,17_2_6C8AE0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8781A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8781A1
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AFF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8AFF0E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AF9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8AF9DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8ADBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,17_2_6C8ADBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AF593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8AF593
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AD687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,17_2_6C8AD687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8B110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8B110C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AF169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8AF169
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 4x nop then push esi16_2_6C81F680
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 4x nop then or byte ptr [edi], dh16_2_6C827270
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 4x nop then push esi17_2_6C85F680
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 4x nop then or byte ptr [edi], dh17_2_6C867270
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49766
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49957
Source: unknownDNS traffic detected: query: 126.131.12.0.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8E8EF0 EnterCriticalSection,LeaveCriticalSection,mprYield,recvfrom,recv,mprResetYield,WSAGetLastError,LeaveCriticalSection,16_2_6C8E8EF0
Source: global trafficDNS traffic detected: DNS query: 126.131.12.0.in-addr.arpa
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bugs.jquery.com/ticket/12282#comment:15
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bugs.jquery.com/ticket/12359
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bugs.jquery.com/ticket/13378
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2218744472.00000000025ED000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2219175014.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2218744472.00000000025ED000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2219175014.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dev.w3.org/csswg/cssom/#resolved-values
Source: rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2259523840.0000000002111000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2259454420.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2291371648.0000000002111000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000003.2264674334.0000000002128000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000003.2264600051.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000003.2284146975.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000003.2285664817.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://embedthis.com/downloads/licensing.html
Source: rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2285969878.000000000018E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://embedthis.com/products/appweb/doc/guide/appweb/users/authentication.html.
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
Source: Setup.exe, 0000001E.00000003.2353951933.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001E.00000003.2359688268.00000000033C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
Source: Setup.exe, 0000001E.00000003.2355692370.0000000001706000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001E.00000003.2358356107.0000000001706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c/fwlink/?LinkId=146008
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jquery.com/
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jquery.org/license
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, is-Q6KL2.tmp.4.drString found in binary or memory: http://jqueryui.com
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, is-Q6KL2.tmp.4.drString found in binary or memory: http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jsperf.com/getall-vs-sizzle/2
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2218744472.00000000025ED000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2219175014.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2218744472.00000000025ED000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2219175014.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/dsdl/schematron
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2543123509.000000006B87B000.00000002.00000001.01000000.0000002E.sdmpString found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: Setup.exe, 0000001E.00000003.2353320753.0000000001706000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.q
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2218744472.00000000025ED000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2219175014.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2218744472.00000000025ED000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2219175014.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572638614.000000000267C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2572898617.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.dr, is-VVEV9.tmp.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sizzlejs.com/
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ascc.net/xml/schematron
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ascc.net/xml/schematronhttp://purl.oclc.org/dsdl/schematronallocating
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: rdmappweb-4.6.0-ms-windows-x86.tmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000000.2436733705.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.innosetup.com/
Source: rdmappweb-4.6.0-ms-windows-x86.exe, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000000.2435227336.0000000000401000.00000020.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000000.2435227336.0000000000401000.00000020.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: certutil.exe, 00000027.00000002.2460299035.000000006C8D3000.00000002.00000001.01000000.00000026.sdmp, certutil.exe, 00000027.00000002.2460966448.000000006E523000.00000002.00000001.01000000.00000025.sdmp, certutil.exe, 00000027.00000002.2460140172.000000006C8B7000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: http://www.mozilla.org/MPL/
Source: certutil.exe, 00000027.00000002.2460299035.000000006C8D3000.00000002.00000001.01000000.00000026.sdmp, certutil.exe, 00000027.00000002.2460966448.000000006E523000.00000002.00000001.01000000.00000025.sdmp, certutil.exe, 00000027.00000002.2460140172.000000006C8B7000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdConverting
Source: is-RDHNK.tmp.15.drString found in binary or memory: http://www.openssl.org/V
Source: is-RDHNK.tmp.15.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: is-RDHNK.tmp.15.drString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2571489815.0000000002580000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2644788370.000000000232A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com
Source: RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2464314271.00000000020C1000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2435689448.00000000020C1000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2437614454.0000000002208000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2462692515.0000000002208000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com&
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com//industries-served/check-cashing
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/about-us
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/board-of-directors
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/careers
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/executive-team
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/industry-links
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/investors
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/contact
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/digital-imaging-solutions
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/digital-imaging-solutions/all-in-one-payment-terminal
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/digital-imaging-solutions/check-scanners
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/digital-imaging-solutions/micr-image-quality-control
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/industries-served/brokerage-firms
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/industries-served/financial-institutions
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/industries-served/property-management
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/markets-served
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/news-and-events
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/partners/find-a-partner
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/data-management
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/image-cash-letter
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/professional-services
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/remittance-processing
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/remote-deposit-capture
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/privacy-statement
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/support
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/terms-of-use
Source: WIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2556160502.000000000235A000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2644788370.000000000232A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.comA
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2925797114.0000000002263000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.comQ6&
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000002.00000003.2921972489.0000000002513000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.comQ7Q
Source: rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2261482932.000000000211C000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2260825817.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000000.2436733705.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.remobjects.com/ps
Source: rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2261482932.000000000211C000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2260825817.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000000.2436733705.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.remobjects.com/psU
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000002.2553200589.000000000018F000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/D
Source: rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2285969878.000000000018E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https:///admin/login.esp
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=491668
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=649285
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en/Security/CSP)
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery/jquery/pull/764
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, is-VVEV9.tmp.2.drString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://localhost:736/SCM/4.0/da.esp
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://localhost:736/SCM/4.0/da.espDA_UserIdInstallFile
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, is-2SN5D.tmp.4.drString found in binary or memory: https://localhost:736/SCM/4.0/scm.esp
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: is-VVEV9.tmp.2.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.0000000002500000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000002.00000000.2141524507.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: https://www.innosetup.com/
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.0000000002500000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000002.00000000.2141524507.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: https://www.remobjects.com/ps
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0042F9C0 NtdllDefWindowProc_A,15_2_0042F9C0
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00423FD4 NtdllDefWindowProc_A,15_2_00423FD4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00412A28 NtdllDefWindowProc_A,15_2_00412A28
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00479D08 NtdllDefWindowProc_A,15_2_00479D08
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00457D90 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,15_2_00457D90
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0042ED84: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,15_2_0042ED84
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE1BC5 OpenSCManagerA,mprError,OpenServiceA,CloseServiceHandle,mprError,ControlService,GetLastError,mprSleep,QueryServiceStatus,QueryServiceStatus,mprSleep,QueryServiceStatus,GetLastError,mprError,DeleteService,GetLastError,GetLastError,mprError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,16_2_00EE1BC5
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,14_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,15_2_00455D80
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-FD1BT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-MD2IU.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-B4BSA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-OQIAI.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\495214.msi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{196BB40D-1578-3D01-B289-BEFC77A11A1E}
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5466.tmp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\atl100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100chs.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100cht.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100deu.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100enu.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100esn.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100fra.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100ita.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100jpn.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100kor.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100rus.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100u.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfcm100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfcm100u.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\vcomp100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\495217.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\495217.msi
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\495217.msi
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_0040888814_2_00408888
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0046803415_2_00468034
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0047168815_2_00471688
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0048F6BC15_2_0048F6BC
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0048803015_2_00488030
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0046A08815_2_0046A088
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0045210015_2_00452100
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0043E1F015_2_0043E1F0
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004307FC15_2_004307FC
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0044496815_2_00444968
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00434A6415_2_00434A64
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00444F1015_2_00444F10
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00488F9015_2_00488F90
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0043138815_2_00431388
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0044560815_2_00445608
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0043576815_2_00435768
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0045F8C015_2_0045F8C0
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0045B97015_2_0045B970
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00445A1415_2_00445A14
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE15F016_2_00EE15F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE235016_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE100016_2_00EE1000
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C85ECCD16_2_6C85ECCD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C828F8316_2_6C828F83
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8A083D16_2_6C8A083D
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C84091916_2_6C840919
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C826B2816_2_6C826B28
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C88245B16_2_6C88245B
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C83457E16_2_6C83457E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C82867F16_2_6C82867F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8B672F16_2_6C8B672F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C88E76516_2_6C88E765
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86E0BD16_2_6C86E0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C82601816_2_6C826018
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8121F016_2_6C8121F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8A814016_2_6C8A8140
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C82A2A716_2_6C82A2A7
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8842FB16_2_6C8842FB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8243A616_2_6C8243A6
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8263C916_2_6C8263C9
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86A3DD16_2_6C86A3DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8A1C1716_2_6C8A1C17
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C825C2C16_2_6C825C2C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C825C3016_2_6C825C30
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C823DD016_2_6C823DD0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C829D6516_2_6C829D65
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8A388816_2_6C8A3888
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C88F82E16_2_6C88F82E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C88994516_2_6C889945
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8B1A0016_2_6C8B1A00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C823A1C16_2_6C823A1C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8B7A5A16_2_6C8B7A5A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86DBC016_2_6C86DBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C88D45A16_2_6C88D45A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86D68716_2_6C86D687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8B965916_2_6C8B9659
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8AD67416_2_6C8AD674
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C88B79B16_2_6C88B79B
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8297A016_2_6C8297A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C82709316_2_6C827093
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8271A316_2_6C8271A3
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C83911E16_2_6C83911E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8852E516_2_6C8852E5
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8B923E16_2_6C8B923E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C82727016_2_6C827270
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C88333216_2_6C883332
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D877016_2_6C8D8770
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D94E016_2_6C8D94E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D3C5016_2_6C8D3C50
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D8D0016_2_6C8D8D00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8DDE8016_2_6C8DDE80
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D4EB016_2_6C8D4EB0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D363016_2_6C8D3630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8DD63016_2_6C8DD630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8DA67016_2_6C8DA670
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D7E7016_2_6C8D7E70
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D708016_2_6C8D7080
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8E80A016_2_6C8E80A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D48E016_2_6C8D48E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8E60F016_2_6C8E60F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D806016_2_6C8D8060
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D307016_2_6C8D3070
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D407016_2_6C8D4070
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D518016_2_6C8D5180
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D699016_2_6C8D6990
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D99B016_2_6C8D99B0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D61E016_2_6C8D61E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D3AB016_2_6C8D3AB0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D2AF016_2_6C8D2AF0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D8A3016_2_6C8D8A30
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D53D016_2_6C8D53D0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_00EE15F017_2_00EE15F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_00EE235017_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_00EE100017_2_00EE1000
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81877017_2_6C818770
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8194E017_2_6C8194E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C813C5017_2_6C813C50
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C818D0017_2_6C818D00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81DE8017_2_6C81DE80
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C814EB017_2_6C814EB0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81363017_2_6C813630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81D63017_2_6C81D630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81A67017_2_6C81A670
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C817E7017_2_6C817E70
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81708017_2_6C817080
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8280A017_2_6C8280A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8148E017_2_6C8148E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8260F017_2_6C8260F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81806017_2_6C818060
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81307017_2_6C813070
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81407017_2_6C814070
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81518017_2_6C815180
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C81699017_2_6C816990
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8199B017_2_6C8199B0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8161E017_2_6C8161E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C813AB017_2_6C813AB0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C812AF017_2_6C812AF0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C818A3017_2_6C818A30
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8153D017_2_6C8153D0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C89ECCD17_2_6C89ECCD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C868F8317_2_6C868F83
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8E083D17_2_6C8E083D
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C88091917_2_6C880919
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C866B2817_2_6C866B28
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8C245B17_2_6C8C245B
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C87457E17_2_6C87457E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C86867F17_2_6C86867F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8F672F17_2_6C8F672F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8CE76517_2_6C8CE765
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AE0BD17_2_6C8AE0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C86601817_2_6C866018
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8521F017_2_6C8521F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8E814017_2_6C8E8140
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C86A2A717_2_6C86A2A7
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8C42FB17_2_6C8C42FB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8643A617_2_6C8643A6
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8663C917_2_6C8663C9
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AA3DD17_2_6C8AA3DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8E1C1717_2_6C8E1C17
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C865C2C17_2_6C865C2C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C865C3017_2_6C865C30
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C863DD017_2_6C863DD0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C869D6517_2_6C869D65
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8E388817_2_6C8E3888
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8CF82E17_2_6C8CF82E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8C994517_2_6C8C9945
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8F1A0017_2_6C8F1A00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C863A1C17_2_6C863A1C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8F7A5A17_2_6C8F7A5A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8ADBC017_2_6C8ADBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8CD45A17_2_6C8CD45A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AD68717_2_6C8AD687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8F965917_2_6C8F9659
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8ED67417_2_6C8ED674
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8CB79B17_2_6C8CB79B
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8697A017_2_6C8697A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C86709317_2_6C867093
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8671A317_2_6C8671A3
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C87911E17_2_6C87911E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8C52E517_2_6C8C52E5
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8F923E17_2_6C8F923E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C86727017_2_6C867270
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8C333217_2_6C8C3332
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00446274 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00453AAC appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0043497C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00458718 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0040905C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00407D44 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00446544 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0045850C appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0040357C appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00406F14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00403684 appears 229 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C82B046 appears 63 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C86A51F appears 39 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C826F20 appears 46 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C86B046 appears 63 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C82A51F appears 41 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C860C80 appears 152 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C820C67 appears 73 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C8E7010 appears 46 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C820C80 appears 152 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C860C67 appears 75 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C827010 appears 46 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6C8E6F20 appears 46 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 00EE307C appears 56 times
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: WIN_DA_INSTALL_4.0.4.0.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-292HM.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: rdmappweb-4.6.0-ms-windows-x86.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: rdmappweb-4.6.0-ms-windows-x86.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: rdmappweb-4.6.0-ms-windows-x86.tmp.14.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-UGKNT.tmp.15.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-UGKNT.tmp.15.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-UGKNT.tmp.15.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: SetupResources.dll4.29.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: RDM_ROOT_CERTIFICATE.tmp.32.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: RDM_ROOT_CERTIFICATE.tmp.32.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: RDM_ROOT_CERTIFICATE.tmp.32.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: SetupResources.dll7.29.drStatic PE information: No import functions for PE file found
Source: mfc100esn.dll.31.drStatic PE information: No import functions for PE file found
Source: mfc100ita.dll.31.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll0.29.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll3.29.drStatic PE information: No import functions for PE file found
Source: mfc100jpn.dll.31.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll1.29.drStatic PE information: No import functions for PE file found
Source: mfc100enu.dll.31.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll4.29.drStatic PE information: No import functions for PE file found
Source: mfc100cht.dll.31.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll5.29.drStatic PE information: No import functions for PE file found
Source: mfc100kor.dll.31.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll6.29.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll.29.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll8.29.drStatic PE information: No import functions for PE file found
Source: mfc100chs.dll.31.drStatic PE information: No import functions for PE file found
Source: mfc100deu.dll.31.drStatic PE information: No import functions for PE file found
Source: mfc100rus.dll.31.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll2.29.drStatic PE information: No import functions for PE file found
Source: mfc100fra.dll.31.drStatic PE information: No import functions for PE file found
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.00000000025EC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2925797114.0000000002228000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FE38000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000000.2137987917.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEBinary or memory string: OriginalFileName vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: mfc100esn.dll.31.drStatic PE information: Section .rsrc
Source: mfc100ita.dll.31.drStatic PE information: Section .rsrc
Source: mfc100jpn.dll.31.drStatic PE information: Section .rsrc
Source: mfc100enu.dll.31.drStatic PE information: Section .rsrc
Source: mfc100cht.dll.31.drStatic PE information: Section .rsrc
Source: mfc100kor.dll.31.drStatic PE information: Section .rsrc
Source: mfc100chs.dll.31.drStatic PE information: Section .rsrc
Source: mfc100deu.dll.31.drStatic PE information: Section .rsrc
Source: mfc100rus.dll.31.drStatic PE information: Section .rsrc
Source: mfc100fra.dll.31.drStatic PE information: Section .rsrc
Source: net.exe, 0000003A.00000002.2545500170.00000000030B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBp
Source: classification engineClassification label: mal42.phis.spyw.evad.winEXE@103/367@1/0
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,14_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,15_2_00455D80
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004565A8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,15_2_004565A8
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: OpenSCManagerA,mprError,OpenServiceA,GetModuleFileNameA,CreateServiceA,GetLastError,GetLastError,GetLastError,mprError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,fmt,mprWriteRegistry,mprError,fmt,mprWriteRegistry,mprError,mprGetAppDir,mprGetPathParent,mprWriteRegistry,mprError,mprWriteRegistry,mprError,16_2_00EE15F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: OpenSCManagerA,mprError,OpenServiceA,GetModuleFileNameA,CreateServiceA,GetLastError,GetLastError,GetLastError,mprError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,fmt,mprWriteRegistry,mprError,fmt,mprWriteRegistry,mprError,mprGetAppDir,mprGetPathParent,mprWriteRegistry,mprError,mprWriteRegistry,mprError,17_2_00EE15F0
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0046EE04 GetVersion,CoCreateInstance,15_2_0046EE04
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_0040A0D4 FindResourceA,SizeofResource,LoadResource,LockResource,14_2_0040A0D4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE1880 OpenSCManagerA,mprError,OpenServiceA,mprError,CloseServiceHandle,ChangeServiceConfigA,GetLastError,GetLastError,GetLastError,mprError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,16_2_00EE1880
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE1510 OpenSCManagerA,mprError,GetServiceDisplayNameA,CloseServiceHandle,StartServiceCtrlDispatcherA,GetLastError,mprError,16_2_00EE1510
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_00EE1510 OpenSCManagerA,mprError,GetServiceDisplayNameA,CloseServiceHandle,StartServiceCtrlDispatcherA,GetLastError,mprError,17_2_00EE1510
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM CorporationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:504:120:WilError_03
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1824:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_03
Source: C:\1be23190e4cbe7570e736d15\Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_03
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEFile created: C:\Users\user\AppData\Local\Temp\is-J29IE.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert""
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --args16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --console16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --continue16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --daemon16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --heartBeat16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --home16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --log16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --name16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --program16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --verbose16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: 8I16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: run16_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --args17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --console17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --continue17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --daemon17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --heartBeat17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --home17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --log17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --name17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --program17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --verbose17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: 8I17_2_00EE2350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: run17_2_00EE2350
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmp, is-F4PON.tmp.33.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmp, is-F4PON.tmp.33.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmp, is-F4PON.tmp.33.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmp, is-F4PON.tmp.33.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmp, is-F4PON.tmp.33.drBinary or memory string: UPDATE sqlite_master SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmp, is-F4PON.tmp.33.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2461193802.0000000005ED2000.00000004.00001000.00020000.00000000.sdmp, is-F4PON.tmp.33.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEReversingLabs: Detection: 29%
Source: rdmappweb-4.6.0-ms-windows-x86.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: RDMAppman.exeString found in binary or memory: --help
Source: RDMAppman.exeString found in binary or memory: --help
Source: RDMAppman.exeString found in binary or memory: --help
Source: RDMAppman.exeString found in binary or memory: --help
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEFile read: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE "C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE"
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEProcess created: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp" /SL5="$203DA,40682831,788480,C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE"
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exe "C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$1044C,20499878,788480,C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppweb
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp "C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp" /SL5="$104A6,6322833,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstall
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" install enable
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" start
Source: unknownProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe"
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppweb
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe" /q
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeProcess created: C:\1be23190e4cbe7570e736d15\Setup.exe c:\1be23190e4cbe7570e736d15\Setup.exe /q
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp "C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$504A4,6221732,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exe "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/CertMgr.exe" -add -all -c rdmroot.pem -s -r localmachine Root
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\." -i "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem"
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll"
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppweb
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" start
Source: unknownProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe"
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" start RdmAppweb
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start RdmAppweb
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exe "C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEProcess created: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp" /SL5="$203DA,40682831,788480,C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exe "C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTARTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exe "C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTARTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$1044C,20499878,788480,C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTARTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppwebJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppwebJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppwebJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" startJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /IM "RDMAppman.exe" /TJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" start RdmAppwebJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppwebJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp "C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp" /SL5="$104A6,6322833,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" install enableJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" startJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeProcess created: C:\1be23190e4cbe7570e736d15\Setup.exe c:\1be23190e4cbe7570e736d15\Setup.exe /q
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp "C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$504A4,6221732,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exe "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/CertMgr.exe" -add -all -c rdmroot.pem -s -r localmachine Root
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\." -i "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem"
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start RdmAppweb
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libappweb.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libhttp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libslink.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libhttp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libpcre.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: clusapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeSection loaded: iertutil.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: apphelp.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: acgenral.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: uxtheme.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: winmm.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: samcli.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msacm32.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: version.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: userenv.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: dwmapi.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: urlmon.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: mpr.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: sspicli.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: winmmbase.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: winmmbase.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: iertutil.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: srvcli.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: netutils.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: setupuser.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msi.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: winhttp.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: secur32.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: sqmapi.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msasn1.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: windows.storage.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: wldp.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: profapi.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: ntmarta.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: kernel.appcore.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msxml3.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: cryptsp.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: rsaenh.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: cryptbase.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: gpapi.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: msisip.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: srpapi.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: tsappcmp.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: netapi32.dll
Source: C:\1be23190e4cbe7570e736d15\Setup.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exeSection loaded: cryptui.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libplc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libplds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libplc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libplds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libplc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libplds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libplc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libplds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: atl100.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvcr100.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvcp100.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libappweb.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libhttp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libslink.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libpcre.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-86JQL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-0SBL0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\is-GU0VV.tmp
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: certificate valid
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic file information: File size 41523552 > 1048576
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeFile opened: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\MSVCR100.dllJump to behavior
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Home\user\zlib-1.2.5\zlib1.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sfxcab.pdb source: vcredist_x86.exe, 0000001D.00000000.2328115444.0000000001002000.00000020.00000001.01000000.00000017.sdmp, vcredist_x86.exe, 0000001D.00000002.2426660988.0000000001002000.00000020.00000001.01000000.00000017.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\RDMDA\Services\Win\RDMDAService\Release\RDMUtil.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000562C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MFCM100U.i386.pdb source: mfcm100u.dll.31.dr
Source: Binary string: c:\openssl-1.0.1h\out32dll\libeay32.pdbLm source: is-RDHNK.tmp.15.dr
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\RDMDA\Services\Win\RDMDAService\Release\RDMUtil.pdb0p@ source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000562C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMDAWrap\Release\RDMDAWrap.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMDAWrap\Release\RDMDAWrap.pdb$P source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: patchhooks.pdb source: 495214.msi.31.dr
Source: Binary string: c:\openssl-1.0.1h\out32dll\libeay32.pdb source: is-RDHNK.tmp.15.dr
Source: Binary string: EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib6)\a source: RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Setup.pdb source: Setup.exe, 0000001E.00000000.2349500285.0000000000801000.00000020.00000001.01000000.00000018.sdmp, Setup.exe, 0000001E.00000002.2420145503.0000000000801000.00000020.00000001.01000000.00000018.sdmp
Source: Binary string: #EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MDd -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcr100.i386.pdb source: RDMAppman.exe, RDMAppman.exe, 00000011.00000002.2280534298.000000006C851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000012.00000002.2283501761.000000006C851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000013.00000002.2297957399.000000006C851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppweb.exe, 00000014.00000002.2294670773.000000006C851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000030.00000002.2510791781.000000006C491000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000031.00000002.2543935184.000000006C491000.00000020.00000001.01000000.0000000F.sdmp, RDMAppweb.exe, 00000032.00000002.2545500479.000000006C491000.00000020.00000001.01000000.0000000F.sdmp, is-DTEOI.tmp.15.dr
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile"${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile"${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sqmapi.pdb source: Setup.exe, 0000001E.00000002.2424852931.000000006C371000.00000020.00000001.01000000.0000001A.sdmp
Source: Binary string: Setupuser.pdb source: Setup.exe, 0000001E.00000002.2425333406.000000006C641000.00000020.00000001.01000000.00000019.sdmp
Source: Binary string: #EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MDd -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}"@ source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: atl100.i386.pdb source: atl100.dll.31.dr
Source: Binary string: patchhooks.pdbX source: 495214.msi.31.dr
Source: Binary string: MFCM100U.i386.pdb00 source: mfcm100u.dll.31.dr
Source: Binary string: SetupResources.pdb source: SetupResources.dll6.29.dr, SetupResources.dll0.29.dr
Source: Binary string: SetupUi.pdb source: SetupUi.dll.29.dr
Source: Binary string: "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.2294323168.0000000001740000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2542492771.0000000001910000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_00450994
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: section name: .didata
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.tmp.0.drStatic PE information: section name: .didata
Source: is-MBNC4.tmp.2.drStatic PE information: section name: .didata
Source: is-VVEV9.tmp.2.drStatic PE information: section name: .didata
Source: is-QG9IC.tmp.2.drStatic PE information: section name: .didata
Source: WIN_DA_INSTALL_4.0.4.0.tmp.3.drStatic PE information: section name: .didata
Source: is-292HM.tmp.4.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll"
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_00406A18 push 00406A55h; ret 14_2_00406A4D
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_004040B5 push eax; ret 14_2_004040F1
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_00404185 push 00404391h; ret 14_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_00404206 push 00404391h; ret 14_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_004042E8 push 00404391h; ret 14_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_00404283 push 00404391h; ret 14_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_004093B4 push 004093E7h; ret 14_2_004093DF
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_00408580 push ecx; mov dword ptr [esp], eax14_2_00408585
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00409D9C push 00409DD9h; ret 15_2_00409DD1
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0041A078 push ecx; mov dword ptr [esp], ecx15_2_0041A07D
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00452100 push ecx; mov dword ptr [esp], eax15_2_00452105
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0040A273 push ds; ret 15_2_0040A29D
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004062C4 push ecx; mov dword ptr [esp], eax15_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0040A29F push ds; ret 15_2_0040A2A0
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00460518 push ecx; mov dword ptr [esp], ecx15_2_0046051C
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00496594 push ecx; mov dword ptr [esp], ecx15_2_00496599
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004587B4 push 004587ECh; ret 15_2_004587E4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00410930 push ecx; mov dword ptr [esp], edx15_2_00410935
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00486A94 push ecx; mov dword ptr [esp], ecx15_2_00486A99
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00478D50 push ecx; mov dword ptr [esp], edx15_2_00478D51
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00412D78 push 00412DDBh; ret 15_2_00412DD3
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0040D288 push ecx; mov dword ptr [esp], edx15_2_0040D28A
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0040546D push eax; ret 15_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0040553D push 00405749h; ret 15_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004055BE push 00405749h; ret 15_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0040563B push 00405749h; ret 15_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004056A0 push 00405749h; ret 15_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0040F7E8 push ecx; mov dword ptr [esp], edx15_2_0040F7EA
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004438E0 push ecx; mov dword ptr [esp], ecx15_2_004438E4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00459ACC push 00459B10h; ret 15_2_00459B08
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0049BD44 pushad ; retf 15_2_0049BD53
Source: is-DTEOI.tmp.15.drStatic PE information: section name: .text entropy: 6.9169969425576285
Source: F_CENTRAL_msvcr100_x86.31.drStatic PE information: section name: .text entropy: 6.9169969425576285

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\1be23190e4cbe7570e736d15\Setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\1be23190e4cbe7570e736d15\Setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5427A9B33E7D74F84EEE218A17BE40352B745EE0 Blob
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDa.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\1028\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\removeFiles.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\is-MBNC4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-QOGGG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\sqlite3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\iconv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-10704.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-BJ33M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\1040\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-BEQKL.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\freebl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\libplc4.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KK0P0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\3082\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-LUVU7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-MDBKU.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\1033\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-V9QB2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\is-VVEV9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\libplds4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exeFile created: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-MD2IU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libhttp.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-1PB06.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\vcredist_x86.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-5F3F1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nss3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libpcre.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-VFRCR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEFile created: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ssleay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-03SO1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-MQG1O.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\2052\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\RDMUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-FD1BT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5LAKS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DC0FQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_e1e6248d4d6cd4c6f1780d87dae23f0e.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\is-UGKNT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\is-292HM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-45Q42.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\is-55LVF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\libnspr4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-AV1LT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\smime3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6HH6B.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\zlib1.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-8LMSL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nssckbi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nssdbm3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_cgi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_ssl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_RDM_Support_4.0.3.1.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-F4PON.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-TRQ2S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-LKJRA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\softokn3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\1049\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-SC7SE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\1042\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-84CDJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\1041\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-OBV31.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\sqmapi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmpr.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5HS42.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KKTTM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\1036\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-N252S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_d8f75e92d1eafb54afba47fcb3fb7417.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nssutil3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-RTC54.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\msvcr100.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\1031\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\CertMgr.Exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\Setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_esp.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-9F7BH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\libxml2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-EOSML.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\Setupuser.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeFile created: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KRBRM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libappweb.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\is-QG9IC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libeay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\ssl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-OC01J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-B4BSA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DTEOI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-RDHNK.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libslink.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-HI1UM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-BK0O8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-CLE2E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-OQIAI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: C:\1be23190e4cbe7570e736d15\SetupUi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-O4K4B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-MD2IU.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\zlib1.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\libxml2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\iconv.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-B4BSA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\RDMUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-FD1BT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-OQIAI.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\1be23190e4cbe7570e736d15\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20241031_143528385-MSI_vc_red.msi.txt
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1033\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1041\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1042\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1028\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\2052\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1040\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1036\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1031\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\3082\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeFile created: c:\1be23190e4cbe7570e736d15\1049\eula.rtf
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\rdmappmanJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDMAppwebJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppweb
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE1955 OpenSCManagerA,mprError,OpenServiceA,mprError,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,mprError,16_2_00EE1955
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,15_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,15_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0041811E IsIconic,SetWindowPos,15_2_0041811E
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00418120 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,15_2_00418120
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004245E4 IsIconic,SetActiveWindow,15_2_004245E4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0042462C IsIconic,SetActiveWindow,SetFocus,15_2_0042462C
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004187D4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,15_2_004187D4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00422CAC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,15_2_00422CAC
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00484D28 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,15_2_00484D28
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0042F71C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,15_2_0042F71C
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004179E8 IsIconic,GetCapture,15_2_004179E8
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0041F568 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,15_2_0041F568
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1be23190e4cbe7570e736d15\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1be23190e4cbe7570e736d15\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1be23190e4cbe7570e736d15\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1be23190e4cbe7570e736d15\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1be23190e4cbe7570e736d15\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\1be23190e4cbe7570e736d15\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found stalling execution ending in API Sleep call
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeStalling execution: Execution stalls by calling Sleepgraph_16-84839
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDa.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-AV1LT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\1028\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6HH6B.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\zlib1.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\removeFiles.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-QOGGG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\iconv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nssckbi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nssdbm3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-10704.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-BJ33M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_cgi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_ssl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\1040\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-F4PON.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_RDM_Support_4.0.3.1.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-LKJRA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-TRQ2S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\softokn3.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\1049\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-SC7SE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\freebl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\1042\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-84CDJ.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\1041\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KK0P0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\3082\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5HS42.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-MDBKU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KKTTM.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\1036\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-N252S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_d8f75e92d1eafb54afba47fcb3fb7417.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RTC54.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\1033\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\1031\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\CertMgr.Exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_esp.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-MD2IU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-9F7BH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\libxml2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-EOSML.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\vcredist_x86.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-1PB06.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-5F3F1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-VFRCR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KRBRM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libeay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\is-QG9IC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\ssl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ssleay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-OC01J.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-MQG1O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-03SO1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-B4BSA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DTEOI.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-RDHNK.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-HI1UM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\2052\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\RDMUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-FD1BT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-CLE2E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-OQIAI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DC0FQ.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\1be23190e4cbe7570e736d15\SetupUi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\is-UGKNT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_e1e6248d4d6cd4c6f1780d87dae23f0e.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-45Q42.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\is-55LVF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-O4K4B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_14-6074
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeAPI coverage: 2.7 %
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeAPI coverage: 2.7 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\1be23190e4cbe7570e736d15\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\1be23190e4cbe7570e736d15\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00476120 FindFirstFileA,FindNextFileA,FindClose,15_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004531A4 FindFirstFileA,GetLastError,15_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,15_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,15_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00463344 FindFirstFileA,FindNextFileA,FindClose,15_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,15_2_0049998C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C870CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C870CBB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86CC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,16_2_6C86CC23
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C87088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C87088A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86C8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,16_2_6C86C8FD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86E0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,16_2_6C86E0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8381A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C8381A1
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86FF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C86FF0E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86F9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C86F9DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86DBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,16_2_6C86DBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86F593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C86F593
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86D687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,16_2_6C86D687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C87110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C87110C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C86F169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,16_2_6C86F169
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8F5FA0 mprCreateList,mprJoinPath,FindFirstFileA,memcpy,fmt,mprAddItem,FindNextFileA,FindClose,16_2_6C8F5FA0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C835FA0 mprCreateList,mprJoinPath,FindFirstFileA,memcpy,fmt,mprAddItem,FindNextFileA,FindClose,17_2_6C835FA0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8B0CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8B0CBB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8ACC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,17_2_6C8ACC23
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8B088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8B088A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,17_2_6C8AC8FD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AE0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,17_2_6C8AE0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8781A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8781A1
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AFF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8AFF0E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AF9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8AF9DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8ADBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,17_2_6C8ADBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AF593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8AF593
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AD687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,17_2_6C8AD687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8B110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8B110C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8AF169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,17_2_6C8AF169
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_0040A018 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,14_2_0040A018
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2552847931.0000000000AE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g
Source: RDMAppweb.exe, 00000014.00000002.2294165847.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2552847931.0000000000AE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\g^u
Source: RDMAppman.exe, 00000010.00000002.2277930462.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, RDMAppman.exe, 00000011.00000002.2279985812.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, RDMAppman.exe, 00000012.00000002.2283013163.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, RDMAppman.exe, 00000013.00000002.2297160023.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000027.00000002.2459237758.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, RDMAppman.exe, 00000030.00000002.2510127041.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, RDMAppman.exe, 00000031.00000002.2542672571.0000000001298000.00000004.00000020.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2541961630.0000000000E48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE2F34 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,16_2_00EE2F34
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C896BA4 VirtualProtect ?,-00000001,00000104,?16_2_6C896BA4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_00450994
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C899B6F __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__doserrno,_errno,__lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,__lseeki64_nolock,16_2_6C899B6F
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_00EE2F34 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,16_2_00EE2F34
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C89AD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,16_2_6C89AD2C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8207A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,16_2_6C8207A7
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C89C097 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,16_2_6C89C097
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8F91CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,16_2_6C8F91CE
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_00EE2F34 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,17_2_00EE2F34
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8391CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,17_2_6C8391CE
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8DAD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,17_2_6C8DAD2C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8607A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,17_2_6C8607A7
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C8DC097 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,17_2_6C8DC097
Source: C:\1be23190e4cbe7570e736d15\Setup.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0047974C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,15_2_0047974C
Source: C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" startJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppwebJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\." -i "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem"
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start RdmAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe "c:\users\user\appdata\local\temp\is-jde4m.tmp\rdmcert"\certutil.exe -a -n "rdm_device" -t "tcu,tcu,tcu" -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\2o7hffxt.default-release\." -i "c:\users\user\appdata\local\temp\is-jde4m.tmp\rdmcert\rdmroot.pem"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe "c:\users\user\appdata\local\temp\is-jde4m.tmp\rdmcert"\certutil.exe -a -n "rdm_device" -t "tcu,tcu,tcu" -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\2o7hffxt.default-release\." -i "c:\users\user\appdata\local\temp\is-jde4m.tmp\rdmcert\rdmroot.pem"
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0042F254 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,15_2_0042F254
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_0042E4EC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,15_2_0042E4EC
Source: Setup.exe, 0000001E.00000003.2375414267.0000000001728000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001E.00000003.2375381864.0000000001721000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nl17[4004] [explorer.exe] [Program Manager] [Visible]up_
Source: Setup.exe, 0000001E.00000003.2375315968.0000000001741000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001E.00000003.2375206961.0000000001710000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001E.00000003.2375253212.000000000173C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: Setup.exe, 0000001E.00000003.2375346168.0000000001719000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001E.00000003.2375206961.0000000001710000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [4004] [explorer.exe] [Program Manager] [Visible]up_
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: GetLocaleInfoA,14_2_0040565C
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: GetLocaleInfoA,14_2_004056A8
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: GetLocaleInfoA,15_2_004089B8
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: GetLocaleInfoA,15_2_00408A04
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,16_2_6C89EF5C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: free,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,16_2_6C8274D0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,16_2_6C82750C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,16_2_6C82767A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,16_2_6C89F003
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,16_2_6C89F05E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,16_2_6C89F2EF
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,16_2_6C8252E4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,16_2_6C89F22F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,16_2_6C827270
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,16_2_6C8273B4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,16_2_6C89F356
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,17_2_6C8DEF5C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,17_2_6C8674D4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,17_2_6C86750C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,17_2_6C86767A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,17_2_6C8DF003
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,17_2_6C8DF05E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,17_2_6C8DF2EF
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,17_2_6C8652E4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,17_2_6C8DF22F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,17_2_6C867270
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,17_2_6C8673B4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,17_2_6C8DF356
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00458DC4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,15_2_00458DC4
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_004026C4 GetSystemTime,14_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 15_2_00455D38 GetUserNameA,15_2_00455D38
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8362FC _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,_strlen,_malloc_crt,_strlen,strcpy_s,__invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight,16_2_6C8362FC
Source: C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 14_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,14_2_00404654
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Overwrites Mozilla Firefox settings
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key3.db

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert.db
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8EED00 mprListenOnSocket,EnterCriticalSection,memcpy,mprGetSocketInfo,socket,setsockopt,setsockopt,setsockopt,closesocket,LeaveCriticalSection,bind,_errno,_errno,mprTraceProc,_errno,mprTraceProc,GetLastError,closesocket,SetLastError,listen,mprGetOsError,mprTraceProc,setsockopt,mprSetSocketBlockingMode,mprSetSocketNoDelay,LeaveCriticalSection,16_2_6C8EED00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 16_2_6C8D7060 mprSetSocketPrebindCallback,16_2_6C8D7060
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C82ED00 mprListenOnSocket,EnterCriticalSection,memcpy,mprGetSocketInfo,socket,setsockopt,setsockopt,setsockopt,closesocket,LeaveCriticalSection,bind,_errno,_errno,mprTraceProc,_errno,mprTraceProc,GetLastError,closesocket,SetLastError,listen,mprGetOsError,mprTraceProc,setsockopt,mprSetSocketBlockingMode,mprSetSocketNoDelay,LeaveCriticalSection,17_2_6C82ED00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 17_2_6C817060 mprSetSocketPrebindCallback,17_2_6C817060

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Windows Management Instrumentation		1
Scripting		1
Exploitation for Privilege Escalation		21
Disable or Modify Tools		1
OS Credential Dumping		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Browser Session Hijacking		2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts13
Command and Scripting Interpreter		43
Windows Service		1
Access Token Manipulation		4
Obfuscated Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin Shares1
Data from Local System		1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts22
Service Execution		Login Hook43
Windows Service		1
Install Root Certificate		NTDS3
File and Directory Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script13
Process Injection		1
Software Packing		LSA Secrets28
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials21
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync3
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job33
Masquerading		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadow3
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron13
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Regsvr32		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546329 Sample: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE Startdate: 31/10/2024 Architecture: WINDOWS Score: 42 151 126.131.12.0.in-addr.arpa 2->151 153 Antivirus / Scanner detection for submitted sample 2->153 155 Multi AV Scanner detection for submitted file 2->155 157 Found stalling execution ending in API Sleep call 2->157 159 3 other signatures 2->159 13 WIN_SCM_RDM_INSTALL_4.0.4.0.EXE 2 2->13         started        16 msiexec.exe 2->16         started        18 RDMAppman.exe 2->18         started        20 RDMAppman.exe 2->20         started        signatures3 process4 file5 131 C:\Users\...\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, PE32 13->131 dropped 22 WIN_SCM_RDM_INSTALL_4.0.4.0.tmp 5 17 13->22         started        133 C:\Windows\SysWOW64\vcomp100.dll, PE32 16->133 dropped 135 C:\Windows\SysWOW64\mfcm100u.dll, PE32 16->135 dropped 137 C:\Windows\SysWOW64\mfcm100.dll, PE32 16->137 dropped 139 16 other files (none is malicious) 16->139 dropped 25 RDMAppweb.exe 18->25         started        27 RDMAppweb.exe 20->27         started        process6 file7 103 C:\Users\user\AppData\Local\...\is-VVEV9.tmp, PE32 22->103 dropped 105 C:\Users\user\AppData\Local\...\is-QG9IC.tmp, PE32 22->105 dropped 107 C:\Users\user\AppData\Local\...\is-MBNC4.tmp, PE32 22->107 dropped 109 4 other files (none is malicious) 22->109 dropped 29 WIN_DA_Install_4.0.4.0.exe 2 22->29         started        32 WIN_SCM_Support_4.0.3.1.exe 22->32         started        34 conhost.exe 25->34         started        36 conhost.exe 27->36         started        process8 file9 141 C:\Users\user\...\WIN_DA_INSTALL_4.0.4.0.tmp, PE32 29->141 dropped 38 WIN_DA_INSTALL_4.0.4.0.tmp 31 88 29->38         started        143 C:\Users\user\...\WIN_SCM_SUPPORT_4.0.3.1.tmp, PE32 32->143 dropped process10 file11 111 C:\Windows\SysWOW64\zlib1.dll (copy), PE32 38->111 dropped 113 C:\Windows\SysWOW64\libxml2.dll (copy), PE32 38->113 dropped 115 C:\Windows\SysWOW64\is-OQIAI.tmp, PE32 38->115 dropped 117 22 other files (none is malicious) 38->117 dropped 41 RDM_ROOT_CERTIFICATE.exe 38->41         started        44 rdmappweb-4.6.0-ms-windows-x86.exe 2 38->44         started        46 vcredist_x86.exe 38->46         started        48 12 other processes 38->48 process12 file13 119 C:\Users\user\...\RDM_ROOT_CERTIFICATE.tmp, PE32 41->119 dropped 50 RDM_ROOT_CERTIFICATE.tmp 41->50         started        121 C:\...\rdmappweb-4.6.0-ms-windows-x86.tmp, PE32 44->121 dropped 53 rdmappweb-4.6.0-ms-windows-x86.tmp 28 49 44->53         started        123 C:\1be23190e4cbe7570e736d15\sqmapi.dll, PE32 46->123 dropped 125 C:\1be23190e4cbe7570e736d15\Setupuser.dll, PE32 46->125 dropped 127 C:\1be23190e4cbe7570e736d15\SetupUi.dll, PE32 46->127 dropped 129 11 other files (none is malicious) 46->129 dropped 55 Setup.exe 46->55         started        58 conhost.exe 48->58         started        60 conhost.exe 48->60         started        62 conhost.exe 48->62         started        64 17 other processes 48->64 process14 file15 87 C:\Users\user\AppData\...\certutil.exe (copy), PE32 50->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 50->89 dropped 91 C:\Users\user\AppData\...\ssl3.dll (copy), PE32 50->91 dropped 99 26 other files (none is malicious) 50->99 dropped 66 cmd.exe 50->66         started        68 certmgr.exe 50->68         started        93 C:\...\RDMAppman.exe (copy), PE32 53->93 dropped 95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 53->95 dropped 97 C:\...\unins000.exe (copy), PE32 53->97 dropped 101 38 other files (none is malicious) 53->101 dropped 71 RDMAppman.exe 2 53->71         started        73 RDMAppman.exe 2 53->73         started        75 RDMAppman.exe 53->75         started        163 Installs new ROOT certificates 55->163 signatures16 process17 signatures18 77 certutil.exe 66->77         started        81 conhost.exe 66->81         started        83 cmd.exe 66->83         started        161 Installs new ROOT certificates 68->161 85 conhost.exe 68->85         started        process19 file20 145 C:\Users\user\AppData\Roaming\...\secmod.db, Berkeley 77->145 dropped 147 C:\Users\user\AppData\Roaming\...\key3.db, Berkeley 77->147 dropped 149 C:\Users\user\AppData\Roaming\...\cert8.db, Berkeley 77->149 dropped 165 Overwrites Mozilla Firefox settings 77->165 167 Tries to harvest and steal browser information (history, passwords, etc) 77->167 signatures21

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WIN_SCM_RDM_INSTALL_4.0.4.0.EXE29%ReversingLabs
WIN_SCM_RDM_INSTALL_4.0.4.0.EXE100%AviraTR/Redcap.brxte

Dropped Files

SourceDetectionScannerLabelLink
C:\1be23190e4cbe7570e736d15\1028\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\1031\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\1033\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\1036\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\1040\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\1041\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\1042\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\1049\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\2052\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\3082\SetupResources.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\Setup.exe0%ReversingLabs
C:\1be23190e4cbe7570e736d15\Setupuser.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\SetupUi.dll0%ReversingLabs
C:\1be23190e4cbe7570e736d15\sqmapi.dll0%ReversingLabs
C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\CertMgr.Exe (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDa.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\install (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-03SO1.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-1PB06.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-240RI.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-45Q42.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5HS42.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5LAKS.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-AV1LT.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-BK0O8.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-CLE2E.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DC0FQ.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DO484.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DTEOI.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-HI1UM.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KK0P0.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KKTTM.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KRBRM.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-LKJRA.tmp2%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-RDHNK.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-VFRCR.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libappweb.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libeay32.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libhttp.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_cgi.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_esp.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_ssl.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmpr.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libpcre.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libslink.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\msvcr100.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\removeFiles.exe (copy)2%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ssleay32.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\uninstall (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_d8f75e92d1eafb54afba47fcb3fb7417.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_e1e6248d4d6cd4c6f1780d87dae23f0e.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-O4K4B.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-TRQ2S.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-QOGGG.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\is-55LVF.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\vcredist_x86.exe (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\is-UGKNT.tmp4%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.exe (copy)4%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\is-292HM.tmp2%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.exe (copy)2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6HH6B.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp3%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-8LMSL.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-BEQKL.tmp2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-OBV31.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe (copy)2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\freebl3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-10704.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-5F3F1.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-84CDJ.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-9F7BH.tmp3%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-BJ33M.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-EOSML.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-F4PON.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-LUVU7.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-MDBKU.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-MQG1O.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://jquery.org/license0%URL Reputationsafe
http://sizzlejs.com/0%URL Reputationsafe
http://jqueryui.com0%URL Reputationsafe
http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript0%URL Reputationsafe
https://bugs.webkit.org/show_bug.cgi?id=290840%URL Reputationsafe
http://www.openssl.org/support/faq.html0%URL Reputationsafe
https://www.remobjects.com/ps0%URL Reputationsafe
https://www.innosetup.com/0%URL Reputationsafe
http://www.innosetup.com/0%URL Reputationsafe
https://developer.mozilla.org/en-US/docs/CSS/display0%URL Reputationsafe
http://www.remobjects.com/psU0%URL Reputationsafe
http://www.remobjects.com/ps0%URL Reputationsafe
http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-1022910%URL Reputationsafe
http://javascript.nwbox.com/IEContentLoaded/0%URL Reputationsafe
http://jquery.com/0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
126.131.12.0.in-addr.arpa
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNGis-RDHNK.tmp.15.drfalse
      		unknown
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUWIN_SCM_RDM_INSTALL_4.0.4.0.EXE, is-VVEV9.tmp.2.drfalse
        		unknown
        http://www.rdmcorp.com//industries-served/check-cashingWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
          		unknown
          http://www.rdmcorp.com/company/board-of-directorsWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
            		unknown
            http://jquery.org/licenseWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.openssl.org/Vis-RDHNK.tmp.15.drfalse
              		unknown
              http://www.rdmcorp.com/supportWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                		unknown
                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUrdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000000.2435227336.0000000000401000.00000020.00000001.01000000.0000001E.sdmpfalse
                  		unknown
                  http://sizzlejs.com/WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.rdmcorp.com/payment-processing-solutionsWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                    		unknown
                    http://jqueryui.comWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, is-Q6KL2.tmp.4.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://embedthis.com/products/appweb/doc/guide/appweb/users/authentication.html.rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2285969878.000000000018E000.00000004.00000010.00020000.00000000.sdmpfalse
                      		unknown
                      http://purl.oclc.org/dsdl/schematronWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        http://www.rdmcorp.comAWIN_DA_Install_4.0.4.0.exe, 00000003.00000003.2556160502.000000000235A000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2644788370.000000000232A000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          http://jsperf.com/getall-vs-sizzle/2WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascriptWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://bugs.webkit.org/show_bug.cgi?id=29084WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.ascc.net/xml/schematronWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.openssl.org/support/faq.htmlis-RDHNK.tmp.15.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.rdmcorp.com/industries-served/financial-institutionsWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                http://blindsignals.com/index.php/2009/07/jquery-delay/WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://bugs.jquery.com/ticket/12282#comment:15WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, is-Q6KL2.tmp.4.drfalse
                                      		unknown
                                      http://dev.w3.org/csswg/cssom/#resolved-valuesWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.rdmcorp.com/digital-imaging-solutions/check-scannersWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://github.com/jquery/jquery/pull/557)WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdConvertingWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.rdmcorp.com/company/industry-linksWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.remobjects.com/psWIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.0000000002500000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000002.00000000.2141524507.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.rdmcorp.com/contactWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.innosetup.com/WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2140117315.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2139739907.0000000002500000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000002.00000000.2141524507.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://localhost:736/SCM/4.0/da.espDA_UserIdInstallFileWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https:///admin/login.esprdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2285969878.000000000018E000.00000004.00000010.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://localhost:736/SCM/4.0/da.espWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.ascc.net/xml/schematronhttp://purl.oclc.org/dsdl/schematronallocatingWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://go.microsoft.c/fwlink/?LinkId=146008Setup.exe, 0000001E.00000003.2355692370.0000000001706000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001E.00000003.2358356107.0000000001706000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://github.com/jquery/jquery/pull/764WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://schemas.qSetup.exe, 0000001E.00000003.2353320753.0000000001706000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.rdmcorp.com/company/investorsWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.rdmcorp.com/payment-processing-solutions/image-cash-letterWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.rdmcorp.com/payment-processing-solutions/professional-servicesWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.rdmcorp.comQ6&WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2925797114.0000000002263000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.rdmcorp.com/company/executive-teamWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://www.innosetup.com/rdmappweb-4.6.0-ms-windows-x86.tmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000000.2436733705.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.rdmcorp.com/digital-imaging-solutionsWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.rdmcorp.comWIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2571489815.0000000002580000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2644788370.000000000232A000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.rdmcorp.com/partners/find-a-partnerWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://bugs.jquery.com/ticket/12359WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.rdmcorp.com/news-and-eventsWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.rdmcorp.com/terms-of-useWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://bugzilla.mozilla.org/show_bug.cgi?id=649285WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.rdmcorp.com/company/about-usWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.rdmcorp.com/digital-imaging-solutions/all-in-one-payment-terminalWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinerdmappweb-4.6.0-ms-windows-x86.exe, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000000.2435227336.0000000000401000.00000020.00000001.01000000.0000001E.sdmpfalse
                                                                                              		unknown
                                                                                              http://go.microsoft.Setup.exe, 0000001E.00000003.2353951933.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001E.00000003.2359688268.00000000033C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.rdmcorp.com/privacy-statementWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.rdmcorp.com/industries-served/brokerage-firmsWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-contextWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.rdmcorp.com/digital-imaging-solutions/micr-image-quality-controlWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://relaxng.org/ns/structure/1.0allocatingWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://developer.mozilla.org/en-US/docs/CSS/displayWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://bugs.jquery.com/ticket/13378WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.remobjects.com/psUrdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2261482932.000000000211C000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2260825817.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000000.2436733705.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://developer.mozilla.org/en/Security/CSP)WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.zlib.net/DWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000002.2553200589.000000000018F000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.rdmcorp.com/markets-servedWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.rdmcorp.com/payment-processing-solutions/data-managementWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.rdmcorp.com/payment-processing-solutions/remote-deposit-captureWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://localhost:736/SCM/4.0/scm.espWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, is-2SN5D.tmp.4.drfalse
                                                                                                                          		unknown
                                                                                                                          http://www.rdmcorp.com/company/careersWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.rdmcorp.comQ7QWIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000002.00000003.2921972489.0000000002513000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://relaxng.org/ns/structure/1.0WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.000000000571D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005497000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2543123509.000000006B87B000.00000002.00000001.01000000.0000002E.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.remobjects.com/psrdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2261482932.000000000211C000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2260825817.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436033194.0000000002330000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2436217351.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000000.2436733705.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://github.com/jquery/sizzle/pull/225WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://bugzilla.mozilla.org/show_bug.cgi?id=491668WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.rdmcorp.com/industries-served/property-managementWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://javascript.nwbox.com/IEContentLoaded/WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://jquery.com/WIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.rdmcorp.com&RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2464314271.00000000020C1000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000020.00000003.2435689448.00000000020C1000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2437614454.0000000002208000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000021.00000003.2462692515.0000000002208000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.rdmcorp.com/payment-processing-solutions/remittance-processingWIN_DA_INSTALL_4.0.4.0.tmp, 00000004.00000003.2545896722.0000000005080000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://embedthis.com/downloads/licensing.htmlrdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2259523840.0000000002111000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2259454420.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000E.00000003.2291371648.0000000002111000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000003.2264674334.0000000002128000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000003.2264600051.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000003.2284146975.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000F.00000003.2285664817.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown

                                                                                                                                            World Map of Contacted IPs

                                                                                                                                            No contacted IP infos

                                                                                                                                            General Information

                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                            Analysis ID:1546329
                                                                                                                                            Start date and time:2024-10-31 19:34:13 +01:00
                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                            Overall analysis duration:0h 11m 8s
                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                            Report type:full
                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                            Run name:Run with higher sleep bypass
                                                                                                                                            Number of analysed new started processes analysed:68
                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                            Technologies:
                                                                                                                                            • HCA enabled
                                                                                                                                            • EGA enabled
                                                                                                                                            • AMSI enabled
                                                                                                                                            Analysis Mode:default
                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                            Sample name:WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
                                                                                                                                            Detection:MAL
                                                                                                                                            Classification:mal42.phis.spyw.evad.winEXE@103/367@1/0
                                                                                                                                            EGA Information:
                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                            HCA Information:
                                                                                                                                            • Successful, ratio: 93%
                                                                                                                                            • Number of executed functions: 186
                                                                                                                                            • Number of non-executed functions: 304
                                                                                                                                            Cookbook Comments:
                                                                                                                                            • Found application associated with file extension: .EXE
                                                                                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                            • Stop behavior analysis, all processes terminated

                                                                                                                                            Warnings

                                                                                                                                            • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                            • VT rate limit hit for: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE

                                                                                                                                            Simulations

                                                                                                                                            Behavior and APIs

                                                                                                                                            No simulations

                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                            IPs

                                                                                                                                            No context

                                                                                                                                            Domains

                                                                                                                                            No context

                                                                                                                                            ASNs

                                                                                                                                            No context

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            No context

                                                                                                                                            Dropped Files

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                            C:\1be23190e4cbe7570e736d15\1028\SetupResources.dllhttps://storage.googleapis.com/vectric_public/Cut2DDesktopTrialEdition_Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                              https://download.info.apple.com/Mac_OS_X/031-30890-20150812-ea191174-4130-11e5-a125-930911ba098f/bootcamp5.1.5769.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                Kiwi_Syslog_Server_9.8.2.Freeware.setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  ESjy0irMIn.exeGet hashmaliciousNjratBrowse
                                                                                                                                                    dotNetFx40_Full_setup.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                      Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                          https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              C:\1be23190e4cbe7570e736d15\1031\SetupResources.dllhttps://storage.googleapis.com/vectric_public/Cut2DDesktopTrialEdition_Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                https://download.info.apple.com/Mac_OS_X/031-30890-20150812-ea191174-4130-11e5-a125-930911ba098f/bootcamp5.1.5769.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                  Kiwi_Syslog_Server_9.8.2.Freeware.setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    ESjy0irMIn.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                      dotNetFx40_Full_setup.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                        Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                            https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\$shtdwn$.req

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):788
                                                                                                                                                                                Entropy (8bit):0.09823380614560741
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:lbll/:lB
                                                                                                                                                                                MD5:DF7119A5D3CAEDA80BF0FB6F8E53DE8F
                                                                                                                                                                                SHA1:76458E1D2E0FA4519FACB71A5F23F8799713BE2B
                                                                                                                                                                                SHA-256:3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
                                                                                                                                                                                SHA-512:85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1028\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):30672
                                                                                                                                                                                Entropy (8bit):4.2936704552740705
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:4Y6C7xfsxMEYgPNRAsy50keJzH7o3oDPnv:MxLJz7
                                                                                                                                                                                MD5:7FC06A77D9AAFCA9FB19FAFA0F919100
                                                                                                                                                                                SHA1:E565740E7D582CD73F8D3B12DE2F4579FF18BB41
                                                                                                                                                                                SHA-256:A27F809211EA1A2D5224CD01101AA3A59BF7853168E45DE28A16EF7ED6ACD46A
                                                                                                                                                                                SHA-512:466DCC6A5FB015BE1619F5725FA62CA46EB0FB428E11F93FD9D82E5DF61C3950B3FB62D4DB7746CC4A2BE199E5E69EAA30B6F3354E0017CFA14D127FAD52F8CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .x.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .I.A.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P\Omi.|q}.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. ..SI.ce|vWY.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1028\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):14168
                                                                                                                                                                                Entropy (8bit):5.9724110685335825
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
                                                                                                                                                                                MD5:7C136B92983CEC25F85336056E45F3E8
                                                                                                                                                                                SHA1:0BB527E7004601E920E2AAC467518126E5352618
                                                                                                                                                                                SHA-256:F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
                                                                                                                                                                                SHA-512:06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                • Filename: Kiwi_Syslog_Server_9.8.2.Freeware.setup.exe, Detection: malicious, Browse
                                                                                                                                                                                • Filename: ESjy0irMIn.exe, Detection: malicious, Browse
                                                                                                                                                                                • Filename: dotNetFx40_Full_setup.exe, Detection: malicious, Browse
                                                                                                                                                                                • Filename: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, Detection: malicious, Browse
                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1028\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):188446
                                                                                                                                                                                Entropy (8bit):4.98936861773382
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:vjB8N7T+SN6FY5PmQlivKawlrIMUkYfkv8CshgJNgRJAoJvIrOJBElrhzxQXK6uG:o7SSN6FYtmQlivKawlrIMUkYfkv8Cs4U
                                                                                                                                                                                MD5:129D8E8824B0D545ADC29E571A6E2C02
                                                                                                                                                                                SHA1:5A1DDFCD2AE21D96C818D315CB5E263F525A39CD
                                                                                                                                                                                SHA-256:83B8268E2874699227F9B1AD3F72A06CBF474EFA3983F5C5EE9BFE415DB98476
                                                                                                                                                                                SHA-512:1048F646D5866DC8736DB0A023A65A7E208A5F56774FA8EC5D59E4272A54A9A6E94B01B84293A7EC9F889BAD7865522E783AF30BF61BB9249687DCEAC62066D8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch14\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????\'a1\'ec???};}{\f14\fbidi \froman\fcharset136\fprq2{\*\panose 02020500000000000000}PMingLiU{\*\falt \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\fa

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1031\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (615), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):41622
                                                                                                                                                                                Entropy (8bit):3.577523249714746
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:4nF+jpoHnZi8oO0GOJ2+8q6OUjEYJL/ZiITrKv:V03XjZJL/YIy
                                                                                                                                                                                MD5:B83C3803712E61811C438F6E98790369
                                                                                                                                                                                SHA1:61A0BC59388786CED045ACD82621BEE8578CAE5A
                                                                                                                                                                                SHA-256:2AA6E8D402E44D9EE895B18195F46BF90259DE1B6F44EFD46A7075B110F2DCD6
                                                                                                                                                                                SHA-512:E020F93E3A082476087E690AD051F1FEB210E0915924BB4548CC9F53A7EE2760211890EB6036CE9E5E4A311ABC0300E89E25EFBBB894C2A621FFBC9D64CC8A38
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .x.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.a.l.l.i.e.r.t. .w.e.r.d.e.n..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .I.A.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1031\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18776
                                                                                                                                                                                Entropy (8bit):5.135663555520085
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
                                                                                                                                                                                MD5:7C9AE49B3A400C728A55DD1CACC8FFB2
                                                                                                                                                                                SHA1:DD3A370F541010AD650F4F6AA42E0CFC68A00E66
                                                                                                                                                                                SHA-256:402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
                                                                                                                                                                                SHA-512:D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                • Filename: Kiwi_Syslog_Server_9.8.2.Freeware.setup.exe, Detection: malicious, Browse
                                                                                                                                                                                • Filename: ESjy0irMIn.exe, Detection: malicious, Browse
                                                                                                                                                                                • Filename: dotNetFx40_Full_setup.exe, Detection: malicious, Browse
                                                                                                                                                                                • Filename: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, Detection: malicious, Browse
                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                                                • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1031\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):163866
                                                                                                                                                                                Entropy (8bit):5.029712171633306
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:oiJ+vgRJA8J/snalBEm0OgKXIJR10GZybh2C:aQ
                                                                                                                                                                                MD5:117DABB5A055B09B6DB6BCBA8F911073
                                                                                                                                                                                SHA1:E8F5D907939400824CC5DADB681852C35CA7BB79
                                                                                                                                                                                SHA-256:DAEA9CD8151A2C24A87C3254DEC1DE0463234E44922C8E0AA4E01AB58EC89664
                                                                                                                                                                                SHA-512:E995D03998BE9F07F9E9B8566E429D3795ADBDEEEFB2048D6B8877CE15A0ABFCE4FAAEE8DC773250495C15CC35FD0040D81593B51067533836D5F3CF8612D3C4
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????\'a1\'ec???};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fpr

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1033\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (565), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):39246
                                                                                                                                                                                Entropy (8bit):3.5443876937052083
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:4kVKhG9aX0SDpI53/asO0KMv+VXxwVcPIv5COQu4SLbpmQVX5FB0zJOkue6Jjfz3:4MKhJkeZsdlNl9SJOkR6NXaxu
                                                                                                                                                                                MD5:D642E322D1E8B739510CA540F8E779F9
                                                                                                                                                                                SHA1:36279C76D9F34C09EBDDC84FD33FCC7D4B9A896C
                                                                                                                                                                                SHA-256:5D90345FF74E177F6DA8FB6459C1CFCAC080E698215CA75FEB130D0D1F2A76B9
                                                                                                                                                                                SHA-512:E1E16AE14BC7CC1608E1A08D3C92B6D0518B5FABD27F2C0EB514C87AFC3D6192BF7A793A583AFC65F1899F03DC419263B29174456E1EC9AB0F0110E0258E0F0D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1033\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):17240
                                                                                                                                                                                Entropy (8bit):5.151474565875158
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
                                                                                                                                                                                MD5:9547D24AC04B4D0D1DBF84F74F54FAF7
                                                                                                                                                                                SHA1:71AF6001C931C3DE7C98DDC337D89AB133FE48BB
                                                                                                                                                                                SHA-256:36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
                                                                                                                                                                                SHA-512:8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1033\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7080
                                                                                                                                                                                Entropy (8bit):4.934776172726828
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:9fcddvfbS9u6zZ+kodpj4eQ1lhcgi5X90vJqpsSih2:y/fbSZ/odpjmlhcgi5NSkRA2
                                                                                                                                                                                MD5:19D028345AADCC05697EEC6D8C5B5874
                                                                                                                                                                                SHA1:70BD3D4D51373FB82F0257F28D5F3609BFC82520
                                                                                                                                                                                SHA-256:F4FF4EACE31B75176A0806E1693041D546D2599AEC0C77D295BAD09CAC7D9FE7
                                                                                                                                                                                SHA-512:9B3DFFEC7C1595197AF69E59094588541558BEF56982475DDDD2C9E3D75FC8B970B384452713632AE20435EC0CAEC6CC4CD8CEC9CD4B4809335FDC9F2CC7B842
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\f1\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\tx360\f2\'b7\tab\f0 updates,\f1\par..\f2\'b7\tab\f0 supplements,\f1\par..\f2\'b7\tab\f0 Internet-based services, and \f1\par..\f2\'b7\tab\f0 support services\f1\par.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1036\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):41492
                                                                                                                                                                                Entropy (8bit):3.5522209001567364
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:4GrYAOJoFbZZ0eQiFaD4EbJeiI5hJUPu2oBknXoFDYnZCoroUnAJJFHq20/kFR/0:4GZUoRZc5ryx2fHIJR0kbG52gjfVv
                                                                                                                                                                                MD5:E382ABC19294F779D2833287242E7BC6
                                                                                                                                                                                SHA1:1CEAE32D6B24A3832F9244F5791382865B668A72
                                                                                                                                                                                SHA-256:43F913FF28D677316F560A0F45221F35F27CFAF5FC5BD645974A82DCA589EDBF
                                                                                                                                                                                SHA-512:06054C8048CADE36A3AF54F9A07FD8FA5EB4F3228790996D2ABEA7EE1EE7EB563D46BD54FF97441F9610E778194082C44E66C5F566C9C50A042ABA9EB9CAE25E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .x.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.l.l... .s.u.r. .c.e.t.t.e. .p.l.a.t.e.f.o.r.m.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .I.A.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1036\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18776
                                                                                                                                                                                Entropy (8bit):5.112489568342605
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
                                                                                                                                                                                MD5:93F57216FE49E7E2A75844EDFCCC2E09
                                                                                                                                                                                SHA1:DCCD52787F147E9581D303A444C8EE134AFC61A8
                                                                                                                                                                                SHA-256:2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
                                                                                                                                                                                SHA-512:EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1036\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):162915
                                                                                                                                                                                Entropy (8bit):5.023428742885146
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:Xn6ipERiA7JzI3ilBEBr97dQnKG5zpZ27KN4:KiZ
                                                                                                                                                                                MD5:BBBBB0BDA00FDA985BB39FEE5FD04FF8
                                                                                                                                                                                SHA1:3053CF30FAD92F133AD3EA7EEFB8C729D323EA00
                                                                                                                                                                                SHA-256:3CB591E6801E91FE58E79449F7C99B88C3BA0ACE5D922B4AA0C8F2CDD81854BD
                                                                                                                                                                                SHA-512:32CC1B0F033B13D7614F8BD80DE4D3F9D4668632010BCB563E90773FB2F4971D19206C46B0C2B0E55308CA14F4DEAF5EB415DAE5F2C0C4331B5DF0AE44B2F61E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????????????????????????\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fswiss\f

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1040\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):40338
                                                                                                                                                                                Entropy (8bit):3.5295538496820984
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:4hZo3+Ma9e1JzNZNs4fneAEJ0o5H/PuRv:NaudsJ1u
                                                                                                                                                                                MD5:0AF948FE4142E34092F9DD47A4B8C275
                                                                                                                                                                                SHA1:B3D6DD5C126280398D9055F90E2C2C26DBAE4EAA
                                                                                                                                                                                SHA-256:C4C7C0DDAA6D6A3A1DC260E9C5A24BDFAA98C427C69E8A65427DD7CAC0A4B248
                                                                                                                                                                                SHA-512:D97B5FE2553CA78A3019D53E33D2DB80C9FA1CF1D8D2501D9DDF0576C7E6EA38DAB754FE4712123ABF34B97E10B18FB4BBD1C76D3DACB87B4682E501F93423D9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .x.6.4... .I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .l.'.i.n.s.t.a.l.l.a.z.i.o.n.e. .s.u. .q.u.e.s.t.a. .p.i.a.t.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .I.A.6.4... .I.m.p.o.s.s.i.b.i.l.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1040\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18264
                                                                                                                                                                                Entropy (8bit):5.142702232041524
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
                                                                                                                                                                                MD5:E4860FC5D4C114D5C0781714F3BF041A
                                                                                                                                                                                SHA1:864CE88E8AB1DB9AFF6935F9231521B6B72D5974
                                                                                                                                                                                SHA-256:6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
                                                                                                                                                                                SHA-512:39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1040\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):189369
                                                                                                                                                                                Entropy (8bit):4.993456059906976
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:8K91dpBgRJA8J/snalBEm0OgKXIJR10GZybh2C:8aK
                                                                                                                                                                                MD5:F1602100F6C135AB5D8026E9248BAF02
                                                                                                                                                                                SHA1:DEBE92E8761F5320352DCFFE844FB25A10E9EA14
                                                                                                                                                                                SHA-256:284A8BBA438DA22A1B4F497B0B4ED1D9886184859527B87FF7350C83F198AB2D
                                                                                                                                                                                SHA-512:2A0FBEF3114B54EDB400D913D317A5097801834BEE0FB536B0FF645DD1CA40A1451945AD563119A5BA80F26B51CDA8B23E93BE71D7C82723AFEDE3CBF1DA00C6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ?????????????????????????????\'a1\'ec?};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fsw

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1041\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (440), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):34318
                                                                                                                                                                                Entropy (8bit):4.3825885013202255
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:4OTOo45ZyAYcou3LDnmUjMFsrHZmxqJOXhNCGYHre3iR7v:4OTOoMhYcRaOXJ6koIv
                                                                                                                                                                                MD5:7FCFBC308B0C42DCBD8365BA62BADA05
                                                                                                                                                                                SHA1:18A0F0E89B36818C94DE0AD795CC593D0E3E29A9
                                                                                                                                                                                SHA-256:01E7D24DD8E00B5C333E96D1BB83813E02E96F89AAD0C2F28F84551D28ABBBE2
                                                                                                                                                                                SHA-512:CD6F912A037E86D9E1982C73F0F8B3C4D5A9A6B5B108A7B89A46E6691E430A7CB55718DE9A0C05650BB194C8D4A2E309AD6221D638CFCA8E16AA5920881BA649
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .x.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .I.A.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1041\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15704
                                                                                                                                                                                Entropy (8bit):5.929554826924656
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
                                                                                                                                                                                MD5:278FD7595B580A016705D00BE363612F
                                                                                                                                                                                SHA1:89A299A9ABECB624C3606267371B7C07B74B3B26
                                                                                                                                                                                SHA-256:B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
                                                                                                                                                                                SHA-512:838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1041\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):181054
                                                                                                                                                                                Entropy (8bit):4.962328655200384
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:7vykJ9MRJAwJjAXetBE1rRbe+KusGWqcJ2V:fJ
                                                                                                                                                                                MD5:89D66A0B94450729015D021BC8F859E9
                                                                                                                                                                                SHA1:C9AD4C7DCDAFEAD282DAA1C214E7A0EAB567FFD5
                                                                                                                                                                                SHA-256:6A1884515CC4378D732F681934658252A4B45D76CE7F53CF8650BE794CC8D390
                                                                                                                                                                                SHA-512:336A5B1CBF2F52DF5B151A564C8452826D253F9FC565C865D7BA37B91229996D9AE59603350BD5CD99352ED63D265D8578095560CB7DE67DA7E1AA2135FBF0FB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a8\'ac};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\f

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1042\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (439), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):32962
                                                                                                                                                                                Entropy (8bit):4.366055142656104
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:4cdsW0fwUrh+UgYUDQhGAtPN/2JWCTJSIQvPaLWL2C4oH/Drv:4cdszvrBgYUDQhF5N7IJSIQvkQfLH/Pv
                                                                                                                                                                                MD5:71DFD70AE141F1D5C1366CB661B354B2
                                                                                                                                                                                SHA1:C4B22590E6F6DD5D39E5158B831AE217CE17A776
                                                                                                                                                                                SHA-256:CCCDA55294AEB4AF166A8C0449BCA2189DDF5AA9A43D5E939DD3803E61738331
                                                                                                                                                                                SHA-512:5000D62F3DE41C3FB0ED8A8E9C37DBF4EB427C4F1E3AD3823D4716C6FE62250BAC11B7987A302B8A45D91AABCF332457F7AFF7D99F15EDEFFE540639E9440E8A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .x.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .I.A.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. ..... ........... .M.i.c.r.o.s.o.f.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1042\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15192
                                                                                                                                                                                Entropy (8bit):5.9622226182057325
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
                                                                                                                                                                                MD5:FCFD69EC15A6897A940B0435439BF5FC
                                                                                                                                                                                SHA1:6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
                                                                                                                                                                                SHA-256:90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
                                                                                                                                                                                SHA-512:4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1042\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):351492
                                                                                                                                                                                Entropy (8bit):4.844773730829239
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:bNK7z5n/OLs3+lAB4HeqyOOZjYCrv1MT2hhO0kN9okLgd80UKdF8K8Zb4ajD/y9m:bI79kaIDUhOhQAUiK/9/MjZr
                                                                                                                                                                                MD5:8203E9FC25A5720AFB8C43E8BE10C3B0
                                                                                                                                                                                SHA1:FC7D9B452B6D5475FD1EF61B78E8BC6E32F08974
                                                                                                                                                                                SHA-256:0EBD62213F41DFFA0BCD939BDC6ABC25096E95112C217FDF27CE661A19AD0866
                                                                                                                                                                                SHA-512:F95DCB9C25436AE322C240A0D0ABD9F4904A5AF313CAC5CB8C90C1A5460DAD8E983347AD7540C672046E4210945B053B75313BB6D10B44B2A0BF0024B400E81E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch12\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}Batang{\*\falt \'b9\'d9\'c5\'c1};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a1\'a7};}{\f20\fbidi \froman\fcharset129\f

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1049\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (634), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):40428
                                                                                                                                                                                Entropy (8bit):4.232828720335164
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:4q0oG/2VrQa0inweNLvSli+CJA3aJW5cGUT3CT+v:DVFJl
                                                                                                                                                                                MD5:0EEB554D0B9F9FCDB22401E2532E9CD0
                                                                                                                                                                                SHA1:08799520B72A1EF92AC5B94A33509D1EDDF6CAF8
                                                                                                                                                                                SHA-256:BEEF0631C17A4FB1FF0B625C50C6CB6C8CE90A1AE62C5E60E14BF3D915AD509C
                                                                                                                                                                                SHA-512:2180E46A5A2EA1F59C879B729806CA02A232C66660F29C338C1FA7FBEE2AFA4B13D8777D1F7B63CF831EB42F3E55282D70AA8E53F40616B8A6E4D695C36E313D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .x.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .I.A.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1049\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18264
                                                                                                                                                                                Entropy (8bit):5.548909804205606
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
                                                                                                                                                                                MD5:7EF74AF6AB5760950A1D233C582099F1
                                                                                                                                                                                SHA1:BF79FF66346907446F4F95E1E785A03CA108EB5D
                                                                                                                                                                                SHA-256:658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
                                                                                                                                                                                SHA-512:BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ...*...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\1049\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):213363
                                                                                                                                                                                Entropy (8bit):4.934134633374225
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:D/fSz7yMsMyN1FyRtXSWS3SoSalsySMDS7SmSJ8SUSPsBa5IqDSySipSAS6ASGS+:pG
                                                                                                                                                                                MD5:5B95EFBC01DC97EE9A6C6F64A49AA62D
                                                                                                                                                                                SHA1:A99C984A0D5E316FE60D588A3519F2D5C805C1DE
                                                                                                                                                                                SHA-256:0CFACFF2B63121AD1D71376E4A3799B93B7E6D278209FE4806CCA0F74830CFC1
                                                                                                                                                                                SHA-512:A0B19864E68945A74BCE24C8D5EB0050ABB66C6FF6A53D0482FFA70E93EEE2957608BB9BDE535718D56CD5D7509B4DD7A1786C99BC2120344293234B7A6C2A3B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????????};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\p

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\2052\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (390), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):31138
                                                                                                                                                                                Entropy (8bit):4.240036868712424
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:4Qn7cJwYTzOnyquEWTOAXUewfMcqQJywXk83GJPupIoxnb/2v:4Qn7cJxTC/uEWTfXUewiQJyoknJY9b+v
                                                                                                                                                                                MD5:52B1DC12CE4153AA759FB3BBE04D01FC
                                                                                                                                                                                SHA1:BF21F8591C473D1FCE68A9FAF1E5942F486F6EBA
                                                                                                                                                                                SHA-256:D1735C8CFD8E10BA019D70818C19FA865E7C72F30AB6421A3748408F85FB96C3
                                                                                                                                                                                SHA-512:418903AE9A7BAEBF73D055E4774FF1917FBAAB9EE7ED8C120C34BB10E7303F6DD7B7DAE701596D4626387A30AE1B4D329A9AF49B8718B360E2FF619C56C19623
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .x.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .I.A.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.d\O.|.~.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e..0"./.>..... . . . . . .<.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\2052\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):14168
                                                                                                                                                                                Entropy (8bit):6.010838262457833
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
                                                                                                                                                                                MD5:407CDB7E1C2C862B486CDE45F863AE6E
                                                                                                                                                                                SHA1:308AEEBEB1E1663ACA26CE880191F936D0E4E683
                                                                                                                                                                                SHA-256:9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
                                                                                                                                                                                SHA-512:7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\2052\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):225202
                                                                                                                                                                                Entropy (8bit):4.985888615397263
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:0pvaMOA6EOEGJA7JDnbyiBTmAO3FQ31Rdz5Zq3Kho:6v+Ez0
                                                                                                                                                                                MD5:6E5BDDF58163B11C79577B35A87A4424
                                                                                                                                                                                SHA1:8AAA1008360F7B255A6A88AD02D3A00DEB8B0AE6
                                                                                                                                                                                SHA-256:D4A26E3756437CA8BA132AE3A73AA7A829478A847D6B9AB69A8090515CE9A60A
                                                                                                                                                                                SHA-512:21DD9D754C0A3A383F20259E87AA4769D6ECB36753039DCE8B644E16E0ABC3C94B4B850648E0369474C914655140E7F3CC3E808ED27E70892A863F61F8588C6E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch31505\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????\'a1\'a7????};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\3082\LocalizedData.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (616), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):40912
                                                                                                                                                                                Entropy (8bit):3.5296334743141515
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:4fgA4Ukd+uYW1HCD1GO/tja2QDu7Jr++dP8z3AzOrv:tUZW1iDDdWCJi8Pg32Y
                                                                                                                                                                                MD5:5397A12D466D55D566B4209E0E4F92D3
                                                                                                                                                                                SHA1:FCFFD8961FB487995543FC173521FDF5DF6E243B
                                                                                                                                                                                SHA-256:F124D318138FF084B6484DEB354CCA0F72296E1341BF01169792B3E060C89E89
                                                                                                                                                                                SHA-512:7708F5A2AD3E4C90C4C216600435AF87A1557F60CAF880A3DD9B5F482E17399AF9F0B9DE03FF1DBDD210583E0FEC5B466E35794AC24D6D37F9BBC094E52FC77B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .x.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .I.A.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\3082\SetupResources.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18776
                                                                                                                                                                                Entropy (8bit):5.182140892959793
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
                                                                                                                                                                                MD5:B057315A8C04DF29B7E4FD2B257B75F4
                                                                                                                                                                                SHA1:D674D066DF8D1041599FCBDB3BA113600C67AE93
                                                                                                                                                                                SHA-256:51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
                                                                                                                                                                                SHA-512:F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\3082\eula.rtf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):152458
                                                                                                                                                                                Entropy (8bit):5.013297113523102
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:4zkouwFDNSMUYugRJA8J/snalBEm0OgKXIJR10GZybh2U:4zDNIYt
                                                                                                                                                                                MD5:A920D4F55EAE5FEBAB1082AB2BCC2439
                                                                                                                                                                                SHA1:CBD631427871B620E9C95417788BFCDD1CD0A2A5
                                                                                                                                                                                SHA-256:2FFF2122C4D176E074365775227D4208AF48F2F921BE7623EDC315CD345ACF0B
                                                                                                                                                                                SHA-512:28135FBD9D940F0DEEC7A059AB2998B034575CC5D6DD31B1BE501B60689860478B0A0AB5183C69B2ACBBB9C1A074BBAA215960B3FACC6A9A3B0170E27E7B2B47
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????????????????????????\'a8\'ac??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fsw

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\DHtmlHeader.html

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16118
                                                                                                                                                                                Entropy (8bit):3.6434775915277604
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                                                                                MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                                                                                SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                                                                                SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                                                                                SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\DisplayIcon.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):88533
                                                                                                                                                                                Entropy (8bit):7.210526848639953
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                                                                                                                                                                                MD5:F9657D290048E169FFABBBB9C7412BE0
                                                                                                                                                                                SHA1:E45531D559C38825FBDE6F25A82A638184130754
                                                                                                                                                                                SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                                                                                                                                                                                SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Print.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1150
                                                                                                                                                                                Entropy (8bit):4.923507556620034
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                                                                                                                                                                                MD5:7E55DDC6D611176E697D01C90A1212CF
                                                                                                                                                                                SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                                                                                                                                                                                SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                                                                                                                                                                                SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Rotate1.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                Entropy (8bit):2.5118974066097444
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                                                                                                                                                                                MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                                                                                                                                                                                SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                                                                                                                                                                                SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                                                                                                                                                                                SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Rotate2.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                Entropy (8bit):2.5178766234336925
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                                                                                                                                                                                MD5:8419CAA81F2377E09B7F2F6218E505AE
                                                                                                                                                                                SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                                                                                                                                                                                SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                                                                                                                                                                                SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Rotate3.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                Entropy (8bit):2.5189797450574103
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                                                                                                                                                                                MD5:924FD539523541D42DAD43290E6C0DB5
                                                                                                                                                                                SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                                                                                                                                                                                SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                                                                                                                                                                                SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Rotate4.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                Entropy (8bit):2.5119705312617957
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                                                                                                                                                                                MD5:BB55B5086A9DA3097FB216C065D15709
                                                                                                                                                                                SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                                                                                                                                                                                SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                                                                                                                                                                                SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Rotate5.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                Entropy (8bit):2.5083713071878764
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                                                                                                                                                                                MD5:3B4861F93B465D724C60670B64FCCFCF
                                                                                                                                                                                SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                                                                                                                                                                                SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                                                                                                                                                                                SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Rotate6.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                Entropy (8bit):2.5043420982993396
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                                                                                                                                                                                MD5:70006BF18A39D258012875AEFB92A3D1
                                                                                                                                                                                SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                                                                                                                                                                                SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                                                                                                                                                                                SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Rotate7.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                Entropy (8bit):2.4948009720290445
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                                                                                                                                                                                MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                                                                                                                                                                                SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                                                                                                                                                                                SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                                                                                                                                                                                SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Rotate8.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):894
                                                                                                                                                                                Entropy (8bit):2.513882730304912
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                                                                                                                                                                                MD5:D1C53003264DCE4EFFAF462C807E2D96
                                                                                                                                                                                SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                                                                                                                                                                                SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                                                                                                                                                                                SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Save.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1150
                                                                                                                                                                                Entropy (8bit):4.824239610266714
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                                                                                                                                                                                MD5:7D62E82D960A938C98DA02B1D5201BD5
                                                                                                                                                                                SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                                                                                                                                                                                SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                                                                                                                                                                                SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\Setup.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36710
                                                                                                                                                                                Entropy (8bit):5.3785085024370805
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                                                                                                                                                                                MD5:3D25D679E0FF0B8C94273DCD8B07049D
                                                                                                                                                                                SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                                                                                                                                                                                SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                                                                                                                                                                                SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\SysReqMet.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1150
                                                                                                                                                                                Entropy (8bit):5.038533294442847
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                                                                                                                                                                                MD5:661CBD315E9B23BA1CA19EDAB978F478
                                                                                                                                                                                SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                                                                                                                                                                                SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                                                                                                                                                                                SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\SysReqNotMet.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1150
                                                                                                                                                                                Entropy (8bit):5.854644771288791
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                                                                                                                                                                                MD5:EE2C05CC9D14C29F586D40EB90C610A9
                                                                                                                                                                                SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                                                                                                                                                                                SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                                                                                                                                                                                SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\stop.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):10134
                                                                                                                                                                                Entropy (8bit):6.016582854640062
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                                                                                                                                                                                MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                                                                                                                                                                                SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                                                                                                                                                                                SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                                                                                                                                                                                SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Graphics\warn.ico

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):10134
                                                                                                                                                                                Entropy (8bit):4.3821301214809045
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                                                                                                                                                                                MD5:B2B1D79591FCA103959806A4BF27D036
                                                                                                                                                                                SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                                                                                                                                                                                SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                                                                                                                                                                                SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\ParameterInfo.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (314), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):8968
                                                                                                                                                                                Entropy (8bit):3.5907064103424333
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:gCwdBdVv3CL021BqG2ahBCw2G2X2BCEj2G2KQ6G2nCw+KFl:kRPGiGPKGPGYCrKFl
                                                                                                                                                                                MD5:66590F13F4C9BA563A9180BDF25A5B80
                                                                                                                                                                                SHA1:D6D9146FAEEC7824B8A09DD6978E5921CC151906
                                                                                                                                                                                SHA-256:BF787B8C697CE418F9D4C07260F56D1145CA70DB1CC4B1321D37840837621E8F
                                                                                                                                                                                SHA-512:ABA67C66C2F3D9B3C9D71D64511895F15F696BE8BE0EEDD2D6908E1203C4B0CF318B366F9F3CD9C3B3B8C0770462F83E6EEA73E304C43F88D0CBEDF69E7C92B3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. . .x.8.6. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Setup.exe

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):78152
                                                                                                                                                                                Entropy (8bit):6.011592088917562
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
                                                                                                                                                                                MD5:006F8A615020A4A17F5E63801485DF46
                                                                                                                                                                                SHA1:78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
                                                                                                                                                                                SHA-256:D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
                                                                                                                                                                                SHA-512:C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.|.......B.....h.~.....Y.|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Setupuser.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):807256
                                                                                                                                                                                Entropy (8bit):6.357664904941565
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
                                                                                                                                                                                MD5:84C1DAF5F30FF99895ECAB3A55354BCF
                                                                                                                                                                                SHA1:7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
                                                                                                                                                                                SHA-256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
                                                                                                                                                                                SHA-512:E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\SetupUi.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):295248
                                                                                                                                                                                Entropy (8bit):6.262127887617593
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
                                                                                                                                                                                MD5:EB881E3DDDC84B20BD92ABCEC444455F
                                                                                                                                                                                SHA1:E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
                                                                                                                                                                                SHA-256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
                                                                                                                                                                                SHA-512:5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\SetupUi.xsd

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):30120
                                                                                                                                                                                Entropy (8bit):4.990211039591874
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                                                                                                                                                                                MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                                                                                                                                                                                SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                                                                                                                                                                                SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                                                                                                                                                                                SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\SplashScreen.bmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):41078
                                                                                                                                                                                Entropy (8bit):0.3169962482036715
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
                                                                                                                                                                                MD5:43B254D97B4FB6F9974AD3F935762C55
                                                                                                                                                                                SHA1:F94D150C94064893DAED0E5BBD348998CA9D4E62
                                                                                                                                                                                SHA-256:91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
                                                                                                                                                                                SHA-512:46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\Strings.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):14246
                                                                                                                                                                                Entropy (8bit):3.70170676934679
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
                                                                                                                                                                                MD5:332ADF643747297B9BFA9527EAEFE084
                                                                                                                                                                                SHA1:670F933D778ECA39938A515A39106551185205E9
                                                                                                                                                                                SHA-256:E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
                                                                                                                                                                                SHA-512:BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\UiInfo.xml

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36342
                                                                                                                                                                                Entropy (8bit):3.0937266645670003
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:S4UR0d5v0SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v0QYQLIN/6Fmhvk71sO0Nep3q
                                                                                                                                                                                MD5:812F8D2E53F076366FA3A214BB4CF558
                                                                                                                                                                                SHA1:35AE734CFB99BB139906B5F4E8EFBF950762F6F0
                                                                                                                                                                                SHA-256:0D36A884A8381778BEA71F5F9F0FC60CACADEBD3F814679CB13414B8E7DBC283
                                                                                                                                                                                SHA-512:1DCC3EF8C390CA49FBCD50C02ACCD8CC5700DB3594428E2129F79FEB81E4CBBEEF1B4A10628B2CD66EDF31A69ED39CA2F4E252AD8AA13D2F793FCA5B9A1EAF23
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\header.bmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7308
                                                                                                                                                                                Entropy (8bit):3.7864255453272464
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:9L9GXidTgX2bqxIS0SRosEYYgJSIf4pKTg7pDdEAeObh8EWu:R/Y2bq10Q/EY1sK8M4bb
                                                                                                                                                                                MD5:3AD1A8C3B96993BCDF45244BE2C00EEF
                                                                                                                                                                                SHA1:308F98E199F74A43D325115A8E7072D5F2C6202D
                                                                                                                                                                                SHA-256:133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
                                                                                                                                                                                SHA-512:133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\sqmapi.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):144416
                                                                                                                                                                                Entropy (8bit):6.7404750879679485
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
                                                                                                                                                                                MD5:3F0363B40376047EFF6A9B97D633B750
                                                                                                                                                                                SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                                                                                                                                                                                SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                                                                                                                                                                                SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\vc_red.cab

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Microsoft Cabinet archive data, 4186145 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 354 datablocks, 0x1503 compression
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4192089
                                                                                                                                                                                Entropy (8bit):7.999755784501758
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:98304:YHgT57PlfosWFk9TRxWCP/kbNfS2g92D7epPC1txsBDDfifN7wVH:YHmPxFik99xlnANfcM3YDIN7YH
                                                                                                                                                                                MD5:6C59FECF51931FB4540E571AE0310098
                                                                                                                                                                                SHA1:DB5B0E9F7D20D2B1CCD61320ECCA7A60E118619B
                                                                                                                                                                                SHA-256:08E4D5BAD48C0203FDF02FDC28794F820DFB1D4480BDCAC562E7BC6E15FFAAD3
                                                                                                                                                                                SHA-512:D9CC7C6EF54105C981AACAAFDE890019AF766B53417E765FA7636C3B8A4400CE6F987CCEF1A54B4521412A8E45C011476C065CEBC892688AEED1B027E3E761BA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MSCF....!.?.....D...........................!.?.8...........Y...b...H.........r<.I .F_CENTRAL_atl100_x86.HAB.H.....r<.I .F_CENTRAL_mfc100_x86.P....\D...r<.I .F_CENTRAL_mfc100chs_x86.P.....D...r<.I .F_CENTRAL_mfc100cht_x86.P...0wE...r<.I .F_CENTRAL_mfc100deu_x86.P....rF...r<.I .F_CENTRAL_mfc100enu_x86.P....IG...r<.I .F_CENTRAL_mfc100esn_x86.P... CH...r<.I .F_CENTRAL_mfc100fra_x86.P...p>I...r<.I .F_CENTRAL_mfc100ita_x86.P....1J...r<.I .F_CENTRAL_mfc100jpn_x86.P.....J...r<.I .F_CENTRAL_mfc100kor_x86.P...`.K...r<.I .F_CENTRAL_mfc100rus_x86.P.B..sL...r<.I .F_CENTRAL_mfc100u_x86.P9........r<.I .F_CENTRAL_mfcm100_x86.P;..PV....r<.I .F_CENTRAL_mfcm100u_x86.Pm........r<.I .F_CENTRAL_msvcp100_x86.P.........r<.I .F_CENTRAL_msvcr100_x86.P...@.....r<.I .F_CENTRAL_vcomp100_x86.P3........r<.. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8...W..:..[..... '.."S`$..n...W..de`e. .(.$.gV...2..X@A..ra*NR<cq|...{.`.p.M.. .).JM....q..........Q.......?.........2..nL......U.f#[v..#--

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\vc_red.msi

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):155136
                                                                                                                                                                                Entropy (8bit):6.337010677866242
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                                                                                                                                                                MD5:CD2B99BB86BA6A499110C72B78B9324E
                                                                                                                                                                                SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                                                                                                                                                                SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                                                                                                                                                                SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                C:\1be23190e4cbe7570e736d15\watermark.bmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                File Type:PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):309032
                                                                                                                                                                                Entropy (8bit):6.583379857106919
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:yUDLmozgtuVYKKKvwUbKh5+/uWLspp2e1jSaMsb1bIZU0g0WQbO//QGVYBtGKQgc:yUDLmozvygKjzbIGgBZBkUfDfc
                                                                                                                                                                                MD5:1A5CAAFACFC8C7766E404D019249CF67
                                                                                                                                                                                SHA1:35D4878DB63059A0F25899F4BE00B41F430389BF
                                                                                                                                                                                SHA-256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
                                                                                                                                                                                SHA-512:202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Config.Msi\495216.rbs

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):26175
                                                                                                                                                                                Entropy (8bit):5.432884443471386
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:9ip/WPACjk4AJCK+nMUQA9qiMAH/cl6Lu6LPem6AR/ftk:9gWvk4AJCK+nMUQA9qiMU/cl6K65ntk
                                                                                                                                                                                MD5:54D7F4A2DBA7CB6B239889EF252F5766
                                                                                                                                                                                SHA1:FEF739A0A4B64F577B4091E216D3587EA67A60B3
                                                                                                                                                                                SHA-256:2BEED69AA7A5FEAEB1F4BB2C01CBB63D0907E857155577A295972D14C0DC28BC
                                                                                                                                                                                SHA-512:0FEC30BB8353B753571F3FC331E949E666C84087B10B9409662B650ECAD94D0DC5CA8D48975D24785163DD841E11BD153A1BCE4BDCC571715715650688F84F16
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:...@IXOS.@.....@pt_Y.@.....@.....@.....@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..vc_red.msi.@.....@ov...@.....@........&.{F035AD1C-45C3-4166-865F-C2F7CD4958B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{529D0A60-398C-38A2-97EF-82FAFA798A06}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{9983C931-37BE-3C6E-AD32-8B6E789B6881}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{E822F933-C70D-3CF4-A92D-7263B8ACCF30}&.{196BB40D-1578

                                                                                                                                                                                C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):799568
                                                                                                                                                                                Entropy (8bit):6.390606039798855
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:XpFqy6cpZ4jhWZFmihMuDj8Ze6U8+yJ/x7ZI2lptCatFW8ExY+P/9:TFZjZsiuuD8X+y5tlpoGNExTPF
                                                                                                                                                                                MD5:AAC7ED76E8DE83F80D866EFE99121F2A
                                                                                                                                                                                SHA1:3A7AE94AE160FEE6F539CA0AA12FAFF2C19F84F2
                                                                                                                                                                                SHA-256:6C45957E8BFE773FC4F9055F8E1F88C4C7105C23B039526B07FB1921410F7574
                                                                                                                                                                                SHA-512:78DED5095F3081847D39DCC5A3F5447583962BBFD8A7DB72FC139872B05067E756AC8BA9F55A383861DEFA9FBB52EF0CE310F385577418B79713A9A4727D338A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.yp..*p..*p..*y.D*t..*.._*q..*..Y*h..*..m*..*..l*9..*y.T*s..*p..*..*..i*i..*..\*q..*..]*q..*..Z*q..*Richp..*........PE..L......K.........."!.....t...................................................`............@.................................z..(.......................P..............................................@...................Dx.......................text....s.......t.................. ..`.data....K.......&...x..............@....rsrc...............................@..@.reloc..............^..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\.port.log

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):5
                                                                                                                                                                                Entropy (8bit):2.321928094887362
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:lmn:Y
                                                                                                                                                                                MD5:74BB59D6D08810C47300705CD93F7FF6
                                                                                                                                                                                SHA1:693678CBB26BC3D0624A27A8CAAF56BE4159249E
                                                                                                                                                                                SHA-256:E60B56706B9242C426A9F6FA818DAC18B65A0E1B997B5181523B49BC03894366
                                                                                                                                                                                SHA-512:6878D2DBCFC2D86D6B29BB7F993BD22BF2A4785E6FE19AD4B676CF00E94DE9E8E0B7246C62A56CDD3CB93ADB69B1ABE3985491174A34F6A71BB485270D8E6B1F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:736..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\CertMgr.Exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):70992
                                                                                                                                                                                Entropy (8bit):5.989810876164699
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:0uOUkO0UXRiKvbVAc5xt3lGnmdYw+WXsA9iYzvyq9rHUq:9OUu3KvbVtxt1Gnmdt+WXsox9oq
                                                                                                                                                                                MD5:2764C3E30034E9469ADBDBBC99BD98E7
                                                                                                                                                                                SHA1:F0014D2FAD0879323DCAFA6086647A21848910EE
                                                                                                                                                                                SHA-256:06F43698A703D3EF346C7FEDD8864452C4052EAB924A450CA1CCB12BC7C97049
                                                                                                                                                                                SHA-512:DE662E143460D44476AF66FDEB7A65699B06F565FED16F77B3776F3487ACCF76EE72016109549813F2C9F8B0DC061708C900FE3AE37C59DB374C4F33A67AAAFA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=[.eS..eS..eS......eS......eS......eS..eR..eS......eS...-..eS......eS......eS.Rich.eS.................PE..L... .[J.....................................................................@......C.....@...... ......................................xW..............P....0..........................................@............................................text...f........................... ..`.data....(..........................@....rsrc...xW.......X..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\LICENSE.TXT (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16260
                                                                                                                                                                                Entropy (8bit):4.756487759189681
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:NCr4rCni5BdEHu6VroqId0EesZ/8eMeWp:c0e6vEvfLw9fWp
                                                                                                                                                                                MD5:0699CA05F3648A1D38EC1B0493D6716E
                                                                                                                                                                                SHA1:1FD90589878EBF967399405193A6BCC8424484FE
                                                                                                                                                                                SHA-256:1656F2398978E0C7E06784A5706C49D57E54E073FB656D3728C7BCF97300D3E5
                                                                                                                                                                                SHA-512:3E7D568E40BDB1BEBA86F0978600BA033C3DD9C6589490AEC6CF8F10E8F1F461DFB566377036B4DACFC3F7299B8D75B223AB238458E76E27C17A5A9BEBF2E973
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Embedthis Appweb GPL License Agreement....This software is licensed according to the provisions of GNU GENERAL PUBLIC..LICENSE below. ....Commercial license are also available for those who require them. The..Embedthis Commercial License, allows you to provide commercial software..licenses for products containing Embedthis software. This is for individuals or..organizations that do not want to release their source code as open source /..free software as governed by the GPL license below. For more information on..licensing, please see:....http://embedthis.com/downloads/licensing.html....Some components of the sofware are licensed from third parties. See the end of..this document for a list of licensed third party software.....GNU GENERAL PUBLIC LICENSE, Version 2, June 1991.....Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite..330, Boston, MA 02111-1307 USA....Everyone is permitted to copy and distribute verbatim copies of this license..document, but ch

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\README.TXT (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2739
                                                                                                                                                                                Entropy (8bit):4.855747086863456
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:p2KzzQdnd6rIrNIqru6pN47wEbPmh0ThMsgazBCz4t0PiSLbFD/YWJI:p2Kg6rIraqFpwr+h0TWsgaz0Dirn
                                                                                                                                                                                MD5:20AB580E399534B15A80596BF368D082
                                                                                                                                                                                SHA1:354FA14F13DE311A83395B4552179FE2692D73E4
                                                                                                                                                                                SHA-256:168F4FF32F22F24AC210959328322D2C73AFBD245E47BC7060DB68DF6E30C8C8
                                                                                                                                                                                SHA-512:A97137121B6B32D0B203E725CE0C850E97959851F94AB1A23818615166144096A2AD723D7EE89F72253B5D2C81271C8C50C19108D95DA661E7EF10AF44F0CC5B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RdmAppweb....Welcome to the RdmAppweb -- the fastest little web server (from Embedthis..Appweb(TM))....This document contains details regarding the installation procedure for the..binary RdmAppweb package. This package contains pre-built stand-alone web..server and an embeddable HTTP library with headers. ....This software is copyrighted and distributed under license. Please read the..LICENSE.TXT for details.....Table of Contents....* System Requirements..* Installation Package Formats..* Development Environment Platform Support..* Windows Release Details..* Removing RdmAppweb..* Running RdmAppweb..* License and Copyright Information......System Requirements....Operating System Support.... * Windows-7, Windows-8 (x86,x64)....To install RdmAppweb, your system will need at least the following:.... * 10 MB Disk.. * 1 GB RAM....Installation Package Formats....Windows Release Details....To install the Windows Installer image:.... 1. Login with administrator privileges. This is n

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\Rdm.ico (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 64x64, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):12862
                                                                                                                                                                                Entropy (8bit):3.6798341854015195
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:q7KYJRfZ2YR6aRvnR0cORkoCqgR728KRPstRCZRk1RfRvRS24hRk8tCR2mRTkvRu:q7KYJRfZ2YR6aRvnR0cORkoCqgR728Ks
                                                                                                                                                                                MD5:C100FD2F4F4F10D15C0E6C4AFD22686D
                                                                                                                                                                                SHA1:AFE9BFD16D92EBB0CD96DA8054A566172742B2AC
                                                                                                                                                                                SHA-256:5585542C636B944637915F5BE13EC515619103150EC49F576D78DAB66F7503AC
                                                                                                                                                                                SHA-512:0E8E956933DB858F1CBA087A2A194454D3987FB1E14C033D38666637C36A0223E1BC4FFADE3E1725E7DC8F7F022928B4A66B9828E442E7E7BEA1D3DBA5666FE9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......@@......(2......(...@................0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\apps\da.conf (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):574
                                                                                                                                                                                Entropy (8bit):5.001382113834723
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:DEvHXwD7kDULgQRHKDVkQpz2wP+BFooWzKzAbLN+7gAQvgI:D0YL7RHMVn4wP+QIugI
                                                                                                                                                                                MD5:DFD942F01998889C9E180A125247908B
                                                                                                                                                                                SHA1:6FA9ADF7F97149977C62F26CDA3AE38B5C309E19
                                                                                                                                                                                SHA-256:E3D07372DFFB6AD07192D92270AFEEFAC0B385E535C7CB91B06ADDFFD58CEB85
                                                                                                                                                                                SHA-512:DBED2E346D9067C09A2F9CFBD3A03E4348512736DBADC681FC4D6564B419C601A3E22759655D56E5F2D02FE42020AEC1E0F54E40C7308CF336C453A854AC96D1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:LoadModule sslModule libmod_ssl..SSLCertificateFile "RDM.crt"..SSLCertificateKeyFile "RDM.key"....LoadModule espHandler libmod_esp..AddHandler espHandler esp.. ..#load the DA..LoadModule RDMDA RDMDA....<Route ^/SCM/4.0/da.esp$>.. Name DA_service.. EspUpdate off.. AddHandler espHandler.. EspDir cache cache.. EspDir controllers controllers.. Source DA_service.c.. Target run service-DA..</Route>....#remove the LimitWorkers line once we upgrade to latest Appweb..LimitWorkers 1..LimitRequestBody 12072K..LimitRequestForm 12072K..LimitMemory 250MB....

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\apps\is-O4MQ2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):574
                                                                                                                                                                                Entropy (8bit):5.001382113834723
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:DEvHXwD7kDULgQRHKDVkQpz2wP+BFooWzKzAbLN+7gAQvgI:D0YL7RHMVn4wP+QIugI
                                                                                                                                                                                MD5:DFD942F01998889C9E180A125247908B
                                                                                                                                                                                SHA1:6FA9ADF7F97149977C62F26CDA3AE38B5C309E19
                                                                                                                                                                                SHA-256:E3D07372DFFB6AD07192D92270AFEEFAC0B385E535C7CB91B06ADDFFD58CEB85
                                                                                                                                                                                SHA-512:DBED2E346D9067C09A2F9CFBD3A03E4348512736DBADC681FC4D6564B419C601A3E22759655D56E5F2D02FE42020AEC1E0F54E40C7308CF336C453A854AC96D1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:LoadModule sslModule libmod_ssl..SSLCertificateFile "RDM.crt"..SSLCertificateKeyFile "RDM.key"....LoadModule espHandler libmod_esp..AddHandler espHandler esp.. ..#load the DA..LoadModule RDMDA RDMDA....<Route ^/SCM/4.0/da.esp$>.. Name DA_service.. EspUpdate off.. AddHandler espHandler.. EspDir cache cache.. EspDir controllers controllers.. Source DA_service.c.. Target run service-DA..</Route>....#remove the LimitWorkers line once we upgrade to latest Appweb..LimitWorkers 1..LimitRequestBody 12072K..LimitRequestForm 12072K..LimitMemory 250MB....

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\appweb.conf (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2030
                                                                                                                                                                                Entropy (8bit):4.942123442929845
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:qXhKrzTbpV+JAcrPXGnEiCnvIIewNrfou/1:GhKrz5oSnE/h7Nrfdt
                                                                                                                                                                                MD5:5D84902B4958057D539FE5D59C09CC62
                                                                                                                                                                                SHA1:C6C93EA2F373D2C2229A89D0F10892C783828911
                                                                                                                                                                                SHA-256:2F5640B2D15D8422FD490DAE180F4882C3443C37FF0821D1905395F87338CB48
                                                                                                                                                                                SHA-512:A3407E48FC9043E554414DC31A1ED23D42E6F72C3F0623B72E09BA0A2C387210D3F289BABE5949249E72364BBF4E63E897348EC4C2ECD546536B8DD334B02A39
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:#..# appweb.conf -- Default Configuration for the RDM Appweb HTTP Server..# ....# The order of configuration directives matters as this file is parsed only ..# once. This is a minimal configuration. ....#..# The install.config specifies: Documents, Listen and ListenSecure..#..include install.conf....#..# Define the logging configuration first so errors are logged. This is for..# errors and debug trace for the whole server including virtual hosts. Add ..# a timestamp every 1 hour. This is overridden by appweb command line args...#..ErrorLog "error.log" size=10MB level=2 backup=5 append anew stamp=1hr....#..# The user and group account to run as. The fake name APPWEB will change..# user/group to the Appweb default user/group if running as root/adminstrator...# This is www on MAC, nobody/nogroup on Linux, and administrator on Windows. ..# NOTE: ESP require write access to the cache directory. if you wish ..# to backup log files, you must have write permission to

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16896
                                                                                                                                                                                Entropy (8bit):5.9801987745437435
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:JB5KkbCUXI+YJavGsJu9hG+ENGS72dOaASl/eAlHByw41v3m:JB5hi+Y0vGsJu9hG+ENGS72dO9SlGAlg
                                                                                                                                                                                MD5:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                SHA1:AD8C499F471570B8D0180C31EFC0F1E81D6F67F0
                                                                                                                                                                                SHA-256:4961C91C6CB15EED0190FC0AFF734AB2321E15A52A08FB2A30D46BB121C62317
                                                                                                                                                                                SHA-512:265DAE9076F81DA8560B0160F550E3FD7585185295090B2C0D242464178F43B10A4B561FA8739D73E8669A436D512D561254D35C7B0E4B08425977FF98198EFB
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&B5.G,f.G,f.G,f.1.f.G,f.1.f.G,f.1.f.G,fm..f.G,f.G-f.G,f.1.f.G,f.1.f.G,fRich.G,f................PE..L.....[................."...........+.......@....@.......................................@..................................J..x............................p.......................................I..@............@...............................text...0!.......".................. ..`.rdata.......@.......&..............@..@.data........`.......:..............@....reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):12288
                                                                                                                                                                                Entropy (8bit):5.638218753760879
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:T1xbmFYsX4rMacMUW4E5dvkWaDkH43SzrweIGSkUCkLjgA:T1dm2sXQMacA7jv0SHweIGSk/
                                                                                                                                                                                MD5:BA232235CDE212CF4900B84C7BF1CC0E
                                                                                                                                                                                SHA1:71503AD422FD687B98AB1AA4324ED3555E50EB48
                                                                                                                                                                                SHA-256:EF4EA693303901FFDBBA080778B10371B17F2A3E764086E8FB97471F0CA0F511
                                                                                                                                                                                SHA-512:FF7FDF9193B22BDCE7167AFF31968C57EE779C4481C1CC1E39BE48127C53CA0425EC044F73F44F92C5597396D76C34B5061A38B6DCF9785B8B91D8BD69AB4259
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z..Z..Z...,..Z...,..Z...,..Z..K...Z..Z~..Z...,..Z...,..Z...,..Z..Rich.Z..........................PE..L.....[.....................................0....@..........................`............@.........................p?..E...t7...............................P..L....................................6..@............0..|............................text...r........................... ..`.rdata.......0......................@..@.data........@.......*..............@....reloc.......P.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1647616
                                                                                                                                                                                Entropy (8bit):7.088070986211455
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:ySJnwTP/jsmQQRCQ2HszYJT/Cf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLYMj0:ySJ9mo9JTSuscKu6GaXUT4IBAUZLYM
                                                                                                                                                                                MD5:EAD0DDE5A722ACC8ADEA0C2263564F4D
                                                                                                                                                                                SHA1:FC177E716E4870DE24106A6A1DFB971644D45244
                                                                                                                                                                                SHA-256:807D582249379B09E6781BB974CD1FF94706632037C4657C9F8E85F16ACEBF16
                                                                                                                                                                                SHA-512:EFDADE19E7FE02320539B2914E01CFAE2663079CEE45E8682FCB2CD7ED4429195CD719B6F48668D9F2829C0C6EFF4962A40F64BA7361497518FAD7D6357DA296
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ YA.A7..A7..A7.....A7.O....A7.....A7..7...A7..7...A7..9...A7..Mh..A7.....A7..9...A7..A6..@7.....A7.....A7..7...A7..7...A7..7...A7.Rich.A7.........PE..L......Y...........!.................J...................................................@.........................`L.......-.......p.............................0...............................@...@...............,............................text...\........................... ..`.rdata..............................@..@.data........P...Z...>..............@....tls.........`......................@....rsrc........p... ..................@..@.reloc...i.......j..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDa.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1945512
                                                                                                                                                                                Entropy (8bit):7.003194762767952
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:4gEzzioVnwD+qp+hNQUWZWkMnRqT3uscKu6GaXUT4IBAUZLYto:uZyLErn1JBAUZLN
                                                                                                                                                                                MD5:2C46013BF4D8D9285BFB8BAA35796B70
                                                                                                                                                                                SHA1:869D07FDBE3EBC456774E30CC93F6B955C764607
                                                                                                                                                                                SHA-256:E0B2A7B49BAA567B449C34FA0937140B93B038CC955A18C2AF342204AEB53280
                                                                                                                                                                                SHA-512:4B8281D570C5E2DCFFCC88121692CBB994F83FE266F3CC4F4CAE20138D4AAB876045D380915E939AD3343A9D2E195822A73FBAF2694453A57F77BD75F2279718
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.i.N.:.N.:.N.:.B.:.N.:.8H:.N.:p.L:.N.:.8J:.N.:.8.:.N.:.8~:.N.:...:.N.:.6W:.N.:.6G:.N.:.N.:.O.:.8{:.N.:.8O:.N.:.8N:.N.:.8I:.N.:Rich.N.:................PE..L...U^.a...........!................C........................................p.......#....@.........................p...................4................+......x.......................................@............................................text.............................. ..`.rdata..7g.......h..................@..@.data....}... ......................@....tls................................@....rsrc...4...........................@..@.reloc.............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ca.crt (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):213049
                                                                                                                                                                                Entropy (8bit):5.983977006554565
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:18jMx5y5lXkqDBwTzQNcQpdIJGd9kmsD/kEQMV:iMxkZS4NVsDX9
                                                                                                                                                                                MD5:FB9F6A8E00AE22DA2B3C90E680136B9C
                                                                                                                                                                                SHA1:CF1D4B95D90758D0009784BF2D25F22987149D3F
                                                                                                                                                                                SHA-256:11EEAC7CC607D41336A7254E8E43580B1B3F7D99DFB194F150BD2353960C7D82
                                                                                                                                                                                SHA-512:728396C05A72C45648131174B27530CB324A659CE6205BCD4560A0DE929CB4705AC74FBDD51B3580FB5FE32882D7E8113D764469B7F541BF04A6367F97758D4B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:## Downloaded from: http://curl.haxx.se/docs/caextract.html.##.## ca-bundle.crt -- Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Thu Oct 18 19:05:59 2012.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1.##.## It contains the certificates in PEM format and can be used with Appweb via.## the SSLCACertificateFile directive and in http via the --ca switch..##..# @(#) $RCSfile: certdata.txt,v $ $Revision: 1.86 $ $Date: 2012/10/18 16:26:52 $..GTE CyberTrust Global Root.==========================.-----BEGIN CERTIFICATE-----.MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg.Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEG.A1UEAxMaR1RFIEN5YmVyV

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\esp.conf (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6865
                                                                                                                                                                                Entropy (8bit):5.132770146551146
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:FShozmjyCz4iT3NGQ855kJJUMQpTpyJCqu1RBKh/y3VuEqa6lPEXn/NCquuM8L:qOC33qszQpYJfjAIw/Nfwq
                                                                                                                                                                                MD5:4FCB126204C2F688E16478713C745C61
                                                                                                                                                                                SHA1:B74B1EEE921AEFAEC0970040CC62D745BD4BC632
                                                                                                                                                                                SHA-256:C02EEE67B598394155AD477B5DCDDFD49FA5422BDFDC9C218E27A8881841351A
                                                                                                                                                                                SHA-512:844FCABAFEAC6A484640FB104691F520281D7CFD6CDBCD29A748192871584EC3C26A58A568E254CE82EE9C63AD81AA670E26A11F424FFBD0729DE5DA74734919
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:#..# esp.conf -- ESP compiler rules..# ..# Commands can be hard coded or they can used tokens of the form ${TOKEN}. The supported tokens are:..# AR - Library archiver command path..# ARCH - Target cpu architecture (arm, mips, ppc, x86)..# ARLIB - Archive library extension including period..# CC - Compiler command path..# CFLAGS - Extra compiler flags..# DEBUG - Compiler debug switches..# GCC_ARCH - Gcc architecture mtune|mcpu setting..# INC - Default include directory path..# LIBPATH - Library search path..# LIBS - Libraries to link with..# LDFLAGS - Extra linker flags..# MOD - Output module filename..# OBJ - Object filename corresponding to SRC..# OS - Target operating system (lower case)..# PLATFORM - Target platform system (os-arch)..#

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\install (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11377
                                                                                                                                                                                Entropy (8bit):4.942076353956956
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:gA7U3ER9LUSmMM6SLIHluhIv6Qor0qd7C/kuNNWB0:N7KE7Lbw6yIHlcIvF/VNNF
                                                                                                                                                                                MD5:A86303D1D3E047CFF8F58A52FDA38C94
                                                                                                                                                                                SHA1:862469510ACAA4B86D8A75E50524B351A813DD85
                                                                                                                                                                                SHA-256:F48776B5F21B2EA7E42D26D6458EDF8BDEEA05A74A2C6624375F5DD630DAB6A7
                                                                                                                                                                                SHA-512:79685377C2A2E4B91AB299C7CDC076E01AF251ECEACBB9B385D7BC4B1F4DB9696FB97B09B2B405CE43ADCB1D03A893CDE3DD97C41E270D03DF8B999E1CBA92EA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:#!/bin/bash..#..# install: Installation script for Appweb..#..# Copyright (c) Embedthis Software LLC, 2003-2014. All Rights Reserved...#..################################################################################....HOME=`pwd`..FMT=..SITE=localhost..PAGE=/index.html....HOSTNAME=`hostname`..COMPANY="embedthis"..PRODUCT="RDMAppweb"..NAME="RDM Appweb"..VERSION="4.6.0.10"..OS="windows"..CPU="x86"..DIST="ms"....ROOT_PREFIX="C:\"..BASE_PREFIX="C:\Program Files"..STATE_PREFIX="C:\Program Files\RDM Appweb"..APP_PREFIX="C:\Program Files\RDM Appweb"..VAPP_PREFIX="C:\Program Files\RDM Appweb"..BIN_PREFIX="C:\Program Files\RDM Appweb\bin"..SBIN_PREFIX="${prefixes.sbin}"..ETC_PREFIX="C:\Program Files\RDM Appweb"..INC_PREFIX="C:\Program Files\RDM Appweb\inc"..LIB_PREFIX="C:\Program Files\RDM Appweb\lib"..MAN_PREFIX="C:\Program Files\RDM Appweb\man"..WEB_PREFIX="C:\Program Files\RDM Appweb\web"..LOG_PREFIX="C:\Program Files\RDM Appweb\log"..SPL_PREFIX="C:\Program Files\RDM Appweb\tmp"..CACH

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-03SO1.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):90624
                                                                                                                                                                                Entropy (8bit):6.27698072245688
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:RCVwsShqzeV5GgLvNtJCB5gFJ8Zl7TzueeHOAG4dNEDtCh6CBE:ROwsSJV5GoLPFiP7TCeeHOp8YtB8E
                                                                                                                                                                                MD5:4F054B2C3650E37B9CD1CC39C4EB2E8E
                                                                                                                                                                                SHA1:06930BD391261E504596C0F64D44B0C457AA28F4
                                                                                                                                                                                SHA-256:1FAA19FB677D694A954004D0C09BD1B16A87263271EA5EC0042992659FA85A1C
                                                                                                                                                                                SHA-512:D48561D3B4612D0B8D959FD3759A816CB11128BB6D81253B03DB8BC2FEFC4ACF8CE89F3947E34C8BA3847059274012E07CEB92014DD88A45B05C09F1DDF1DACD
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VO&...H...H...H.}X....H.}X....H.}X....H......H...I.0.H.}X....H.}X....H.}X....H.Rich..H.........PE..L.....[...........!................".....................................................@..........................l......<i..<...................................................................ph..@............................................text............................... ..`.rdata..~}.......~..................@..@.data...x....p.......X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-06DLP.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6865
                                                                                                                                                                                Entropy (8bit):5.132770146551146
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:FShozmjyCz4iT3NGQ855kJJUMQpTpyJCqu1RBKh/y3VuEqa6lPEXn/NCquuM8L:qOC33qszQpYJfjAIw/Nfwq
                                                                                                                                                                                MD5:4FCB126204C2F688E16478713C745C61
                                                                                                                                                                                SHA1:B74B1EEE921AEFAEC0970040CC62D745BD4BC632
                                                                                                                                                                                SHA-256:C02EEE67B598394155AD477B5DCDDFD49FA5422BDFDC9C218E27A8881841351A
                                                                                                                                                                                SHA-512:844FCABAFEAC6A484640FB104691F520281D7CFD6CDBCD29A748192871584EC3C26A58A568E254CE82EE9C63AD81AA670E26A11F424FFBD0729DE5DA74734919
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:#..# esp.conf -- ESP compiler rules..# ..# Commands can be hard coded or they can used tokens of the form ${TOKEN}. The supported tokens are:..# AR - Library archiver command path..# ARCH - Target cpu architecture (arm, mips, ppc, x86)..# ARLIB - Archive library extension including period..# CC - Compiler command path..# CFLAGS - Extra compiler flags..# DEBUG - Compiler debug switches..# GCC_ARCH - Gcc architecture mtune|mcpu setting..# INC - Default include directory path..# LIBPATH - Library search path..# LIBS - Libraries to link with..# LDFLAGS - Extra linker flags..# MOD - Output module filename..# OBJ - Object filename corresponding to SRC..# OS - Target operating system (lower case)..# PLATFORM - Target platform system (os-arch)..#

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-1PB06.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):9216
                                                                                                                                                                                Entropy (8bit):5.423164915401689
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:8STpOu+I1gcIv72DwhRrw4Scw03Xdt4XPzHHIL3lvioD:l1OlUgwwhRrwEwcobHHBoD
                                                                                                                                                                                MD5:7FE011C054A8D8621237289B5036671B
                                                                                                                                                                                SHA1:9F09B469420E728FCC13C8FFB4B6093271F64EAA
                                                                                                                                                                                SHA-256:D0A0A1896D406D6DE3F94EA252795BF1B120A0F205D9A32BFACE5BDE244B1391
                                                                                                                                                                                SHA-512:6D7AEAB8C44277D7CC38B298B8F329491F2E81D382491E4E1DDE1532A1412A76B068EEAE90F26345AA52BBAAB22274293F4DFCDF292DEE64D4A0F7835B0F268D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..J!...!...!...N...(...N... ...N.=.#....m].#...!.......N.<.,...N... ...N... ...Rich!...................PE..L.....[...........!.........................0...............................`............@..........................8..Q...L3..x............................P.......................................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....@....... ..............@....reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-240RI.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):8329
                                                                                                                                                                                Entropy (8bit):4.990362708041138
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:Mysmv0i6F818NxRBNib8HUjxeUuuIZeMiBWesmeBBQLVGfPzEUHj5v:A+uBmYgHH24Vk7DHN
                                                                                                                                                                                MD5:A4C8DF90B93FD01C6ED33137E9BE7ACC
                                                                                                                                                                                SHA1:E60A19D55267D0B0284E112FAEC0CECF82D61062
                                                                                                                                                                                SHA-256:ECBDEDFCF8D6C88019EC75FC3697BC2D59370042973FE0B5839350D9496B168B
                                                                                                                                                                                SHA-512:F2608AF48C3EFAE58FFC45197BB060933C6129F8A8FCE7580002030D2DAD6E822E85B4B27142AD78B78B632F0BBB566889F3E6DE6D8DA04F9329CAA558017756
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:#!/bin/bash..#..#.uninstall: RDM Appweb uninstall script..#..#.Copyright (c) Embedthis Software LLC, 2003-2014. All Rights Reserved...#..#.Usage: uninstall [configFile]..#..################################################################################....HOME=`pwd`..FMT=....PRODUCT="RDMAppweb"..COMPANY="embedthis"..NAME="RDM Appweb"..VERSION="4.6.0.10"..OS="windows"....ROOT_PREFIX="C:\"..BASE_PREFIX="C:\Program Files"..STATE_PREFIX="C:\Program Files\RDM Appweb"..APP_PREFIX="C:\Program Files\RDM Appweb"..VAPP_PREFIX="C:\Program Files\RDM Appweb"....BIN_PREFIX="C:\Program Files\RDM Appweb\bin"..SBIN_PREFIX="${prefixes.sbin}"..ETC_PREFIX="C:\Program Files\RDM Appweb"..INC_PREFIX="C:\Program Files\RDM Appweb\inc"..LIB_PREFIX="C:\Program Files\RDM Appweb\lib"..MAN_PREFIX="C:\Program Files\RDM Appweb\man"..WEB_PREFIX="C:\Program Files\RDM Appweb\web"..LOG_PREFIX="C:\Program Files\RDM Appweb\log"..SPL_PREFIX="C:\Program Files\RDM Appweb\tmp"..CACHE_PREFIX="C:\Program Files\RDM Appweb\cache"

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-45Q42.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):197632
                                                                                                                                                                                Entropy (8bit):6.605166882111358
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:l4+4Hlg9IDr8P2vo4dxmpUCwnwcH4a4JR6Og1kQ4IBv+TUp01a1f7lK3d+AZbbhR:ZulgOXdxmmCGnYzg1b4IL71jlK
                                                                                                                                                                                MD5:7834B39AE2448802CC49658DA3348692
                                                                                                                                                                                SHA1:EBBFD671FC7EA5B336AFA2DB8259D2F439E14792
                                                                                                                                                                                SHA-256:A55E1B5504584093C6416CD3C3B508CB83A7CC2AE2BD9B2FD7D6BAD4D09A46A7
                                                                                                                                                                                SHA-512:B57D462C220F913FCC4A4BA6AC31870EEEAA8ED425D8D5277BCB8781ACD7D19E6087915B38379C98A980BE89C292F6C29F0B1336E2B54A19AC4CA17CA1FE0DB9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.K.+.%.+.%.+.%.D...-.%.D...-.%.D...).%....(.%.+.$.1.%.D...%.%.D...*.%.D...*.%.Rich+.%.........PE..L.....[...........!.....L...........N.......`...............................0............@.........................P...s7.....d...............................<.......................................@............`..x............................text...bK.......L.................. ..`.rdata......`.......P..............@..@.data...4...........................@....reloc..,...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-4LNCI.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):213049
                                                                                                                                                                                Entropy (8bit):5.983977006554565
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:18jMx5y5lXkqDBwTzQNcQpdIJGd9kmsD/kEQMV:iMxkZS4NVsDX9
                                                                                                                                                                                MD5:FB9F6A8E00AE22DA2B3C90E680136B9C
                                                                                                                                                                                SHA1:CF1D4B95D90758D0009784BF2D25F22987149D3F
                                                                                                                                                                                SHA-256:11EEAC7CC607D41336A7254E8E43580B1B3F7D99DFB194F150BD2353960C7D82
                                                                                                                                                                                SHA-512:728396C05A72C45648131174B27530CB324A659CE6205BCD4560A0DE929CB4705AC74FBDD51B3580FB5FE32882D7E8113D764469B7F541BF04A6367F97758D4B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:## Downloaded from: http://curl.haxx.se/docs/caextract.html.##.## ca-bundle.crt -- Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Thu Oct 18 19:05:59 2012.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1.##.## It contains the certificates in PEM format and can be used with Appweb via.## the SSLCACertificateFile directive and in http via the --ca switch..##..# @(#) $RCSfile: certdata.txt,v $ $Revision: 1.86 $ $Date: 2012/10/18 16:26:52 $..GTE CyberTrust Global Root.==========================.-----BEGIN CERTIFICATE-----.MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg.Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEG.A1UEAxMaR1RFIEN5YmVyV

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5HS42.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                Entropy (8bit):4.616056614892387
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:J1zaL+JOWK6kIvpwXvB0qMWJ5x1Y3XYMekSIL3Lo8Dmm:vzo+JOWK3sc5M6M3XYHHIL3NN
                                                                                                                                                                                MD5:14BC81E513A7FB6120961D6F44E03777
                                                                                                                                                                                SHA1:36E9B282B5B428103C32F87B0C1CE56D590209D5
                                                                                                                                                                                SHA-256:E05F61AE4EC2D9EC4B306DAB2E3672FFD139729D0F08EB6F4360F3A7200BBB16
                                                                                                                                                                                SHA-512:3E792A98C1CD54BE1A7B6BE2FCE18F38C489DC6039F64D146E7775FDD2E6F8036AE3E004B3BCDCEF197ADABDFAD5184A30E192BC18061005C54E157A022864CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x...x...x.......{.......y.....&.z...XF.z...x...f.....'.u.......y.......y...Richx...........PE..L.....[...........!................o........ ...............................P............@..........................$..V...l!..<............................@.. .................................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...`....0......................@....reloc..T....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5LAKS.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):12288
                                                                                                                                                                                Entropy (8bit):5.638218753760879
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:T1xbmFYsX4rMacMUW4E5dvkWaDkH43SzrweIGSkUCkLjgA:T1dm2sXQMacA7jv0SHweIGSk/
                                                                                                                                                                                MD5:BA232235CDE212CF4900B84C7BF1CC0E
                                                                                                                                                                                SHA1:71503AD422FD687B98AB1AA4324ED3555E50EB48
                                                                                                                                                                                SHA-256:EF4EA693303901FFDBBA080778B10371B17F2A3E764086E8FB97471F0CA0F511
                                                                                                                                                                                SHA-512:FF7FDF9193B22BDCE7167AFF31968C57EE779C4481C1CC1E39BE48127C53CA0425EC044F73F44F92C5597396D76C34B5061A38B6DCF9785B8B91D8BD69AB4259
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z..Z..Z...,..Z...,..Z...,..Z..K...Z..Z~..Z...,..Z...,..Z...,..Z..Rich.Z..........................PE..L.....[.....................................0....@..........................`............@.........................p?..E...t7...............................P..L....................................6..@............0..|............................text...r........................... ..`.rdata.......0......................@..@.data........@.......*..............@....reloc.......P.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-AV1LT.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):212992
                                                                                                                                                                                Entropy (8bit):6.807214175642466
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:d9IX3/AUmgxsd4zAqfUVHv9VruvpEn1bFefUwMC/zAyEqz3Aof7b4x0fhmybO+vb:7IrFY/qeHvTCZKyP7pzb4x0fhmybOs
                                                                                                                                                                                MD5:019B7EFBF61D12FC6372D4EAC6DDA58D
                                                                                                                                                                                SHA1:060F00308E8E83371E76912FC041A8B66026D44C
                                                                                                                                                                                SHA-256:CA22BB9AFB36AF7EAAE9C1DDD06690C7B01BD66BEE4BF8BBEA2F476E2EA7428C
                                                                                                                                                                                SHA-512:DF282162A8C40C204557DE6ECC1454AF5DAAAB9684CB654D7C8876CD13B39F24C5E7CBB3E4B18D3DDBBB78C7C6D7CB9E7C0F322C2B24D97BD4796D2945098EE2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(X..l9..l9..l9...O..n9...O..e9...O0.n9...P.e9..l9...9...O1.a9...O..m9...O..m9..Richl9..................PE..L.....[...........!.........................................................`............@..............................D..\...x............................@..........................................@............................................text...D........................... ..`.rdata..............................@..@.data...d....0......................@....reloc.......@......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-BK0O8.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16896
                                                                                                                                                                                Entropy (8bit):5.9801987745437435
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:JB5KkbCUXI+YJavGsJu9hG+ENGS72dOaASl/eAlHByw41v3m:JB5hi+Y0vGsJu9hG+ENGS72dO9SlGAlg
                                                                                                                                                                                MD5:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                SHA1:AD8C499F471570B8D0180C31EFC0F1E81D6F67F0
                                                                                                                                                                                SHA-256:4961C91C6CB15EED0190FC0AFF734AB2321E15A52A08FB2A30D46BB121C62317
                                                                                                                                                                                SHA-512:265DAE9076F81DA8560B0160F550E3FD7585185295090B2C0D242464178F43B10A4B561FA8739D73E8669A436D512D561254D35C7B0E4B08425977FF98198EFB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&B5.G,f.G,f.G,f.1.f.G,f.1.f.G,f.1.f.G,fm..f.G,f.G-f.G,f.1.f.G,f.1.f.G,fRich.G,f................PE..L.....[................."...........+.......@....@.......................................@..................................J..x............................p.......................................I..@............@...............................text...0!.......".................. ..`.rdata.......@.......&..............@..@.data........`.......:..............@....reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-CLE2E.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16384
                                                                                                                                                                                Entropy (8bit):5.899521239113658
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:EdLoOflKKgDoZ8/LbRm9fwOKbXQGu4HH:tOflKKgDkALbo9IbbXQG1
                                                                                                                                                                                MD5:9ADB63236566865516EABD62C8022380
                                                                                                                                                                                SHA1:7076E74099E116FEB850C6A0A9BA00A7281D6B7C
                                                                                                                                                                                SHA-256:85374DA53306497D8416D890603FF4C82D750B45C858CF8B23A9BCD1BED2B3F7
                                                                                                                                                                                SHA-512:C3B62FF949046CA3E26EF80908B79E0AB74ABA4A6F7627B1E97188E70AE97EB20BC6BD9DBA146901C41D214D84A9EB0B6430E0C9A40FECE5FE519A340B021AC9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..J............n.......n.......n.=......M].........|...n.<.....n.......n.......Rich....................PE..L.....[...........!.....$...........+.......@............................................@..........................P..R....E..x............................p.......................................D..@............@...............................text....".......$.................. ..`.rdata.."....@.......(..............@..@.data...X....`.......:..............@....reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DC0FQ.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):270848
                                                                                                                                                                                Entropy (8bit):6.409278080790753
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:gefvLqSPbFqnJyt8Zwc1VaB4SBjRx7wWhKIhvt6NcJOwz1vBsBbf0INo00bq9Kpk:ge7qSPpqnJytEwc1Vu5BjRxEWhKIhvt0
                                                                                                                                                                                MD5:DCDD3041A03ABCBA60BF51D2E1345133
                                                                                                                                                                                SHA1:9B81D6C3D7F6D16A73222BCB5ACEC231C46B6F6B
                                                                                                                                                                                SHA-256:4BE51BD9D1C4E2EFDF4DA64511352D591748B7E71492FC9E85E901DC37CF03CE
                                                                                                                                                                                SHA-512:8BD431EBE6972A24EC6CDE4DAE062A4D545F4DE966C3A442D87E34E7E80D394533D739EFEC0F39EB2C8B9A3BC3B17B1B0B4BE86D877C1A4E7FA877F056C118C3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r...!...!...!...!...!...!...!..*!...!...!...!...!%..!..+!...!...!...!...!...!...!...!Rich...!........PE..L...Og1Y...........!......................... ...............................`............@.............................p$..L...P.... ..@....................0...#..0&..............................@...@............ ...............................text............................... ..`.rdata..0.... ......................@..@.data....1..........................@....rsrc...@.... ......................@..@.reloc...$...0...&..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DO484.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11377
                                                                                                                                                                                Entropy (8bit):4.942076353956956
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:gA7U3ER9LUSmMM6SLIHluhIv6Qor0qd7C/kuNNWB0:N7KE7Lbw6yIHlcIvF/VNNF
                                                                                                                                                                                MD5:A86303D1D3E047CFF8F58A52FDA38C94
                                                                                                                                                                                SHA1:862469510ACAA4B86D8A75E50524B351A813DD85
                                                                                                                                                                                SHA-256:F48776B5F21B2EA7E42D26D6458EDF8BDEEA05A74A2C6624375F5DD630DAB6A7
                                                                                                                                                                                SHA-512:79685377C2A2E4B91AB299C7CDC076E01AF251ECEACBB9B385D7BC4B1F4DB9696FB97B09B2B405CE43ADCB1D03A893CDE3DD97C41E270D03DF8B999E1CBA92EA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:#!/bin/bash..#..# install: Installation script for Appweb..#..# Copyright (c) Embedthis Software LLC, 2003-2014. All Rights Reserved...#..################################################################################....HOME=`pwd`..FMT=..SITE=localhost..PAGE=/index.html....HOSTNAME=`hostname`..COMPANY="embedthis"..PRODUCT="RDMAppweb"..NAME="RDM Appweb"..VERSION="4.6.0.10"..OS="windows"..CPU="x86"..DIST="ms"....ROOT_PREFIX="C:\"..BASE_PREFIX="C:\Program Files"..STATE_PREFIX="C:\Program Files\RDM Appweb"..APP_PREFIX="C:\Program Files\RDM Appweb"..VAPP_PREFIX="C:\Program Files\RDM Appweb"..BIN_PREFIX="C:\Program Files\RDM Appweb\bin"..SBIN_PREFIX="${prefixes.sbin}"..ETC_PREFIX="C:\Program Files\RDM Appweb"..INC_PREFIX="C:\Program Files\RDM Appweb\inc"..LIB_PREFIX="C:\Program Files\RDM Appweb\lib"..MAN_PREFIX="C:\Program Files\RDM Appweb\man"..WEB_PREFIX="C:\Program Files\RDM Appweb\web"..LOG_PREFIX="C:\Program Files\RDM Appweb\log"..SPL_PREFIX="C:\Program Files\RDM Appweb\tmp"..CACH

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DTEOI.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):770384
                                                                                                                                                                                Entropy (8bit):6.908020029901359
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                                                MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                                                SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                                                SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                                                SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-HI1UM.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18944
                                                                                                                                                                                Entropy (8bit):6.028832391622257
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:wQcCAzEw0V1EWt8/65n+lv84bbbDqg1EoL4WGsHH4:wsw0bEd/60lPbbOg1DR
                                                                                                                                                                                MD5:E18A1AD9A5D290C9850A3622FA5D45BD
                                                                                                                                                                                SHA1:4E08FB95260291396CC38AD0893EC0435F0D7B86
                                                                                                                                                                                SHA-256:ED493B75DC61FC32E68D194C99FC0FA959B65ADA752321A1863BA28FA7C19F00
                                                                                                                                                                                SHA-512:1B856DA72D828212FB912285B83E9E541443038D199F962BF65FB2A38306F4352FBED354339D7A1AB524E735F911E417A809C65326EED18AFC3D84379EB56921
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p..R...R...R...=g..Z...=g..P...=g&.P.....F.Q...R...+...=g'._...=g..S...=g..S...RichR...........PE..L.....[...........!.....$...&......?+.......@............................................@..........................X......|Q..x............................p..x....................................P..@............@...............................text....".......$.................. ..`.rdata.......@.......(..............@..@.data........`.......B..............@....reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KK0P0.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):62976
                                                                                                                                                                                Entropy (8bit):6.3871862714349135
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:fcx5Wxp7SSeEkPbNj0FT0oxNy/jduwyojfjyxQ5D2zfndSIaBlgB6:fg5kSSrj0oxNy/jkDozjyxQ5D2jn5aB+
                                                                                                                                                                                MD5:D7808E34CECB78040C24D5D3E6620F44
                                                                                                                                                                                SHA1:7C0049BABB22E2B3C1ABFEEE9500455469E10E25
                                                                                                                                                                                SHA-256:675D920F83B1332E2456284FBAD045AC7FC04FCAF21F1FBE2E9071A9EB98F8FB
                                                                                                                                                                                SHA-512:102E8C638B46BE802F48E10DF728057F2D262BDF48701A71C29850ED283ED0BA21BFFF91B3130DF3FB45A16758E6E43B302D1BCC93E9B04E364ECAB9AB42AB1D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.~"..~"..~"......~"......~"......~".{..~"..~#..."......~"......~"......~".Rich.~".........PE..L.....[...........!.........V......X........................................ ............@.............................v.......d...............................<...................................X...@............................................text...l........................... ..`.rdata...D.......F..................@..@.data...p...........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KKTTM.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1945512
                                                                                                                                                                                Entropy (8bit):7.003194762767952
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:4gEzzioVnwD+qp+hNQUWZWkMnRqT3uscKu6GaXUT4IBAUZLYto:uZyLErn1JBAUZLN
                                                                                                                                                                                MD5:2C46013BF4D8D9285BFB8BAA35796B70
                                                                                                                                                                                SHA1:869D07FDBE3EBC456774E30CC93F6B955C764607
                                                                                                                                                                                SHA-256:E0B2A7B49BAA567B449C34FA0937140B93B038CC955A18C2AF342204AEB53280
                                                                                                                                                                                SHA-512:4B8281D570C5E2DCFFCC88121692CBB994F83FE266F3CC4F4CAE20138D4AAB876045D380915E939AD3343A9D2E195822A73FBAF2694453A57F77BD75F2279718
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.i.N.:.N.:.N.:.B.:.N.:.8H:.N.:p.L:.N.:.8J:.N.:.8.:.N.:.8~:.N.:...:.N.:.6W:.N.:.6G:.N.:.N.:.O.:.8{:.N.:.8O:.N.:.8N:.N.:.8I:.N.:Rich.N.:................PE..L...U^.a...........!................C........................................p.......#....@.........................p...................4................+......x.......................................@............................................text.............................. ..`.rdata..7g.......h..................@..@.data....}... ......................@....tls................................@....rsrc...4...........................@..@.reloc.............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KRBRM.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):114176
                                                                                                                                                                                Entropy (8bit):6.540804087334283
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:/3M4p/hdZNjBEp3DXrWaAhiZCQVUNPbPi+hDJVTMJetNiDvSuG61z:/3M4p/hBBEdawCBNT6+hDJVTKDvi6
                                                                                                                                                                                MD5:17AB0F15C0FED482AC60CC027895A5BB
                                                                                                                                                                                SHA1:F46F4BF77F09437B364D769AFB73011F9959BE99
                                                                                                                                                                                SHA-256:01A869D2268C6B9E5D5E2FD5C8BDEA02701C94D0232E5C1A13D8CACF25B9724B
                                                                                                                                                                                SHA-512:0B0A10332DB81DEC44ADA6646CADB907FE3D9B623A50FF729A97F4EE24E90420A9213D4D0F04769FA64D08A4C3DC5DD90F5559570CB8E9946946A0A150F7E02C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......TW...6.Y.6.Y.6.Y.@6Y.6.Y.@4Y.6.Y.@.Y.6.Y..aY.6.Y.6.Y67.Y.@.Y.6.Y.@1Y.6.Y.@7Y.6.YRich.6.Y........................PE..L.....[...........!.................1.......@............................................@.............................o...,}..................................X...................................`|..@............@...............................text..."-.......................... ..`.rdata...t...@...v...2..............@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-LKJRA.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):9216
                                                                                                                                                                                Entropy (8bit):5.432280273703063
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:yabSCrLx6HOI7bdeHFbatuSuzr7iCkLC:nbg+FUuSuH7B
                                                                                                                                                                                MD5:2B33B23FD5A45B1ACB401932D259469B
                                                                                                                                                                                SHA1:F7A01D0036849BE6AE3381B282CC0C6BA1F5942C
                                                                                                                                                                                SHA-256:8C700F40B86A7AC99FF638C8FA42DA8F9CC472C184A39EA8BFD5FAD899F6E9AA
                                                                                                                                                                                SHA-512:51BCC01DC1F41D49EA71E41E34855E0753AA3AD1E58F07A9F4EA2CE2AEC2D5C06C93AFAA254921DC2F874DF29497E5F2A3E5F6CA28293B0A2F26079601946422
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.......6.......6.......6.93....6...7...6.......6.......6.Rich..6.........PE..L.....[............................c........0....@..........................`............@..................................2..<............................P...................................... 2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-RDHNK.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1158144
                                                                                                                                                                                Entropy (8bit):6.799583028872836
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:EqdexieP3sbOGmBuvzZo/VGxkWSEbJhspoZ8VeRp4rT:EzH8vzqt/WSEbTspoCV+p4rT
                                                                                                                                                                                MD5:D09BDE0F13751C84CFEB30B84B3B24EF
                                                                                                                                                                                SHA1:C571AF52BE38838E48D094FE5283918F37B376ED
                                                                                                                                                                                SHA-256:BBB0EE5FFA4CC340285EDEC8C9B7304B51310EB78301F5E0904B9EED6BB61559
                                                                                                                                                                                SHA-512:B12429EF53CA87B6A91D9ED99C37B847373D920B1BFF1AFBBE96C4FA12922A65E77D3E9CADBA8A946753F8CB307CFC68ABF7884EB6E6E3AE86B0203E08FAAFFB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...'Z..'Z..'Z..Z..'Z..Z..'Z..Z..'Z..&Z..'Z..Z..'Z..Z.'Z..Z..'Z..Z..'Z..Z..'ZRich..'Z........................PE..L...Cg1Y...........!.....f...h.......p....................................................@.............................Q...l........P..@....................`.....................................H...@............................................text....e.......f.................. ..`.rdata..a:.......<...j..............@..@.data............^..................@....rsrc...@....P......................@..@.reloc..f....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-T5LNS.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:current ar archive
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2582
                                                                                                                                                                                Entropy (8bit):4.87679160692813
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:c90gLRtp8ZR/vJXKw4zyAOzxGCXKPgmzXKnWT2Lt/:c90eMjKixvKPhKnWT2Lt/
                                                                                                                                                                                MD5:5AC67E3750ABF7238047BC2D38C98AAC
                                                                                                                                                                                SHA1:143027DE25CFAE78B0855C8444F99FA33822717C
                                                                                                                                                                                SHA-256:191FDCCFF02D38EC06F8B170D1C6B7637F19E568DB4C1A75BE6FB86B0F077DDA
                                                                                                                                                                                SHA-512:182079DDB664D734DB3D1597D89528AB7B6E367C6C7200FB3F087EB50A2787C02A6983FF41D7E9AD4EE767CB1668719A275B3826091AEAF32CA1332286EB2754
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:!<arch>./ 1542830833 0 332 `........$...V...........8...8...........N...N........__IMPORT_DESCRIPTOR_libmprssl.__NULL_IMPORT_DESCRIPTOR..libmprssl_NULL_THUNK_DATA.__imp__mprCiphers.__imp__mprGetSslCipherName._mprGetSslCipherName.__imp__mprGetSslCipherCode._mprGetSslCipherCode.__imp__mprCreateOpenSslModule._mprCreateOpenSslModule.__imp__mprSslInit._mprSslInit./ 1542830833 0 344 `.....$...V...........8.......N...................................__IMPORT_DESCRIPTOR_libmprssl.__NULL_IMPORT_DESCRIPTOR.__imp__mprCiphers.__imp__mprCreateOpenSslModule.__imp__mprGetSslCipherCode.__imp__mprGetSslCipherName.__imp__mprSslInit._mprCreateOpenSslModule._mprGetSslCipherCode._mprGetSslCipherName._mprSslInit..libmprssl_NULL_THUNK_DATA.libmprssl.dll/ 1542830833 0 501 `.L.....[.............debug$S........C...................@..B.idata$2............................@.0..idata$6............................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-VFRCR.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1647616
                                                                                                                                                                                Entropy (8bit):7.088070986211455
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:ySJnwTP/jsmQQRCQ2HszYJT/Cf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLYMj0:ySJ9mo9JTSuscKu6GaXUT4IBAUZLYM
                                                                                                                                                                                MD5:EAD0DDE5A722ACC8ADEA0C2263564F4D
                                                                                                                                                                                SHA1:FC177E716E4870DE24106A6A1DFB971644D45244
                                                                                                                                                                                SHA-256:807D582249379B09E6781BB974CD1FF94706632037C4657C9F8E85F16ACEBF16
                                                                                                                                                                                SHA-512:EFDADE19E7FE02320539B2914E01CFAE2663079CEE45E8682FCB2CD7ED4429195CD719B6F48668D9F2829C0C6EFF4962A40F64BA7361497518FAD7D6357DA296
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ YA.A7..A7..A7.....A7.O....A7.....A7..7...A7..7...A7..9...A7..Mh..A7.....A7..9...A7..A6..@7.....A7.....A7..7...A7..7...A7..7...A7.Rich.A7.........PE..L......Y...........!.................J...................................................@.........................`L.......-.......p.............................0...............................@...@...............,............................text...\........................... ..`.rdata..............................@..@.data........P...Z...>..............@....tls.........`......................@....rsrc........p... ..................@..@.reloc...i.......j..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libappweb.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):62976
                                                                                                                                                                                Entropy (8bit):6.3871862714349135
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:fcx5Wxp7SSeEkPbNj0FT0oxNy/jduwyojfjyxQ5D2zfndSIaBlgB6:fg5kSSrj0oxNy/jkDozjyxQ5D2jn5aB+
                                                                                                                                                                                MD5:D7808E34CECB78040C24D5D3E6620F44
                                                                                                                                                                                SHA1:7C0049BABB22E2B3C1ABFEEE9500455469E10E25
                                                                                                                                                                                SHA-256:675D920F83B1332E2456284FBAD045AC7FC04FCAF21F1FBE2E9071A9EB98F8FB
                                                                                                                                                                                SHA-512:102E8C638B46BE802F48E10DF728057F2D262BDF48701A71C29850ED283ED0BA21BFFF91B3130DF3FB45A16758E6E43B302D1BCC93E9B04E364ECAB9AB42AB1D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.~"..~"..~"......~"......~"......~".{..~"..~#..."......~"......~"......~".Rich.~".........PE..L.....[...........!.........V......X........................................ ............@.............................v.......d...............................<...................................X...@............................................text...l........................... ..`.rdata...D.......F..................@..@.data...p...........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libeay32.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1158144
                                                                                                                                                                                Entropy (8bit):6.799583028872836
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:EqdexieP3sbOGmBuvzZo/VGxkWSEbJhspoZ8VeRp4rT:EzH8vzqt/WSEbTspoCV+p4rT
                                                                                                                                                                                MD5:D09BDE0F13751C84CFEB30B84B3B24EF
                                                                                                                                                                                SHA1:C571AF52BE38838E48D094FE5283918F37B376ED
                                                                                                                                                                                SHA-256:BBB0EE5FFA4CC340285EDEC8C9B7304B51310EB78301F5E0904B9EED6BB61559
                                                                                                                                                                                SHA-512:B12429EF53CA87B6A91D9ED99C37B847373D920B1BFF1AFBBE96C4FA12922A65E77D3E9CADBA8A946753F8CB307CFC68ABF7884EB6E6E3AE86B0203E08FAAFFB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...'Z..'Z..'Z..Z..'Z..Z..'Z..Z..'Z..&Z..'Z..Z..'Z..Z.'Z..Z..'Z..Z..'Z..Z..'ZRich..'Z........................PE..L...Cg1Y...........!.....f...h.......p....................................................@.............................Q...l........P..@....................`.....................................H...@............................................text....e.......f.................. ..`.rdata..a:.......<...j..............@..@.data............^..................@....rsrc...@....P......................@..@.reloc..f....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libhttp.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):197632
                                                                                                                                                                                Entropy (8bit):6.605166882111358
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:l4+4Hlg9IDr8P2vo4dxmpUCwnwcH4a4JR6Og1kQ4IBv+TUp01a1f7lK3d+AZbbhR:ZulgOXdxmmCGnYzg1b4IL71jlK
                                                                                                                                                                                MD5:7834B39AE2448802CC49658DA3348692
                                                                                                                                                                                SHA1:EBBFD671FC7EA5B336AFA2DB8259D2F439E14792
                                                                                                                                                                                SHA-256:A55E1B5504584093C6416CD3C3B508CB83A7CC2AE2BD9B2FD7D6BAD4D09A46A7
                                                                                                                                                                                SHA-512:B57D462C220F913FCC4A4BA6AC31870EEEAA8ED425D8D5277BCB8781ACD7D19E6087915B38379C98A980BE89C292F6C29F0B1336E2B54A19AC4CA17CA1FE0DB9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.K.+.%.+.%.+.%.D...-.%.D...-.%.D...).%....(.%.+.$.1.%.D...%.%.D...*.%.D...*.%.Rich+.%.........PE..L.....[...........!.....L...........N.......`...............................0............@.........................P...s7.....d...............................<.......................................@............`..x............................text...bK.......L.................. ..`.rdata......`.......P..............@..@.data...4...........................@....reloc..,...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_cgi.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16384
                                                                                                                                                                                Entropy (8bit):5.899521239113658
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:EdLoOflKKgDoZ8/LbRm9fwOKbXQGu4HH:tOflKKgDkALbo9IbbXQG1
                                                                                                                                                                                MD5:9ADB63236566865516EABD62C8022380
                                                                                                                                                                                SHA1:7076E74099E116FEB850C6A0A9BA00A7281D6B7C
                                                                                                                                                                                SHA-256:85374DA53306497D8416D890603FF4C82D750B45C858CF8B23A9BCD1BED2B3F7
                                                                                                                                                                                SHA-512:C3B62FF949046CA3E26EF80908B79E0AB74ABA4A6F7627B1E97188E70AE97EB20BC6BD9DBA146901C41D214D84A9EB0B6430E0C9A40FECE5FE519A340B021AC9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..J............n.......n.......n.=......M].........|...n.<.....n.......n.......Rich....................PE..L.....[...........!.....$...........+.......@............................................@..........................P..R....E..x............................p.......................................D..@............@...............................text....".......$.................. ..`.rdata.."....@.......(..............@..@.data...X....`.......:..............@....reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_esp.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):114176
                                                                                                                                                                                Entropy (8bit):6.540804087334283
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:/3M4p/hdZNjBEp3DXrWaAhiZCQVUNPbPi+hDJVTMJetNiDvSuG61z:/3M4p/hBBEdawCBNT6+hDJVTKDvi6
                                                                                                                                                                                MD5:17AB0F15C0FED482AC60CC027895A5BB
                                                                                                                                                                                SHA1:F46F4BF77F09437B364D769AFB73011F9959BE99
                                                                                                                                                                                SHA-256:01A869D2268C6B9E5D5E2FD5C8BDEA02701C94D0232E5C1A13D8CACF25B9724B
                                                                                                                                                                                SHA-512:0B0A10332DB81DEC44ADA6646CADB907FE3D9B623A50FF729A97F4EE24E90420A9213D4D0F04769FA64D08A4C3DC5DD90F5559570CB8E9946946A0A150F7E02C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......TW...6.Y.6.Y.6.Y.@6Y.6.Y.@4Y.6.Y.@.Y.6.Y..aY.6.Y.6.Y67.Y.@.Y.6.Y.@1Y.6.Y.@7Y.6.YRich.6.Y........................PE..L.....[...........!.................1.......@............................................@.............................o...,}..................................X...................................`|..@............@...............................text..."-.......................... ..`.rdata...t...@...v...2..............@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_ssl.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):9216
                                                                                                                                                                                Entropy (8bit):5.423164915401689
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:8STpOu+I1gcIv72DwhRrw4Scw03Xdt4XPzHHIL3lvioD:l1OlUgwwhRrwEwcobHHBoD
                                                                                                                                                                                MD5:7FE011C054A8D8621237289B5036671B
                                                                                                                                                                                SHA1:9F09B469420E728FCC13C8FFB4B6093271F64EAA
                                                                                                                                                                                SHA-256:D0A0A1896D406D6DE3F94EA252795BF1B120A0F205D9A32BFACE5BDE244B1391
                                                                                                                                                                                SHA-512:6D7AEAB8C44277D7CC38B298B8F329491F2E81D382491E4E1DDE1532A1412A76B068EEAE90F26345AA52BBAAB22274293F4DFCDF292DEE64D4A0F7835B0F268D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..J!...!...!...N...(...N... ...N.=.#....m].#...!.......N.<.,...N... ...N... ...Rich!...................PE..L.....[...........!.........................0...............................`............@..........................8..Q...L3..x............................P.......................................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....@....... ..............@....reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmpr.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):212992
                                                                                                                                                                                Entropy (8bit):6.807214175642466
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:d9IX3/AUmgxsd4zAqfUVHv9VruvpEn1bFefUwMC/zAyEqz3Aof7b4x0fhmybO+vb:7IrFY/qeHvTCZKyP7pzb4x0fhmybOs
                                                                                                                                                                                MD5:019B7EFBF61D12FC6372D4EAC6DDA58D
                                                                                                                                                                                SHA1:060F00308E8E83371E76912FC041A8B66026D44C
                                                                                                                                                                                SHA-256:CA22BB9AFB36AF7EAAE9C1DDD06690C7B01BD66BEE4BF8BBEA2F476E2EA7428C
                                                                                                                                                                                SHA-512:DF282162A8C40C204557DE6ECC1454AF5DAAAB9684CB654D7C8876CD13B39F24C5E7CBB3E4B18D3DDBBB78C7C6D7CB9E7C0F322C2B24D97BD4796D2945098EE2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(X..l9..l9..l9...O..n9...O..e9...O0.n9...P.e9..l9...9...O1.a9...O..m9...O..m9..Richl9..................PE..L.....[...........!.........................................................`............@..............................D..\...x............................@..........................................@............................................text...D........................... ..`.rdata..............................@..@.data...d....0......................@....reloc.......@......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18944
                                                                                                                                                                                Entropy (8bit):6.028832391622257
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:wQcCAzEw0V1EWt8/65n+lv84bbbDqg1EoL4WGsHH4:wsw0bEd/60lPbbOg1DR
                                                                                                                                                                                MD5:E18A1AD9A5D290C9850A3622FA5D45BD
                                                                                                                                                                                SHA1:4E08FB95260291396CC38AD0893EC0435F0D7B86
                                                                                                                                                                                SHA-256:ED493B75DC61FC32E68D194C99FC0FA959B65ADA752321A1863BA28FA7C19F00
                                                                                                                                                                                SHA-512:1B856DA72D828212FB912285B83E9E541443038D199F962BF65FB2A38306F4352FBED354339D7A1AB524E735F911E417A809C65326EED18AFC3D84379EB56921
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p..R...R...R...=g..Z...=g..P...=g&.P.....F.Q...R...+...=g'._...=g..S...=g..S...RichR...........PE..L.....[...........!.....$...&......?+.......@............................................@..........................X......|Q..x............................p..x....................................P..@............@...............................text....".......$.................. ..`.rdata.......@.......(..............@..@.data........`.......B..............@....reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.lib (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:current ar archive
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2582
                                                                                                                                                                                Entropy (8bit):4.87679160692813
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:c90gLRtp8ZR/vJXKw4zyAOzxGCXKPgmzXKnWT2Lt/:c90eMjKixvKPhKnWT2Lt/
                                                                                                                                                                                MD5:5AC67E3750ABF7238047BC2D38C98AAC
                                                                                                                                                                                SHA1:143027DE25CFAE78B0855C8444F99FA33822717C
                                                                                                                                                                                SHA-256:191FDCCFF02D38EC06F8B170D1C6B7637F19E568DB4C1A75BE6FB86B0F077DDA
                                                                                                                                                                                SHA-512:182079DDB664D734DB3D1597D89528AB7B6E367C6C7200FB3F087EB50A2787C02A6983FF41D7E9AD4EE767CB1668719A275B3826091AEAF32CA1332286EB2754
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:!<arch>./ 1542830833 0 332 `........$...V...........8...8...........N...N........__IMPORT_DESCRIPTOR_libmprssl.__NULL_IMPORT_DESCRIPTOR..libmprssl_NULL_THUNK_DATA.__imp__mprCiphers.__imp__mprGetSslCipherName._mprGetSslCipherName.__imp__mprGetSslCipherCode._mprGetSslCipherCode.__imp__mprCreateOpenSslModule._mprCreateOpenSslModule.__imp__mprSslInit._mprSslInit./ 1542830833 0 344 `.....$...V...........8.......N...................................__IMPORT_DESCRIPTOR_libmprssl.__NULL_IMPORT_DESCRIPTOR.__imp__mprCiphers.__imp__mprCreateOpenSslModule.__imp__mprGetSslCipherCode.__imp__mprGetSslCipherName.__imp__mprSslInit._mprCreateOpenSslModule._mprGetSslCipherCode._mprGetSslCipherName._mprSslInit..libmprssl_NULL_THUNK_DATA.libmprssl.dll/ 1542830833 0 501 `.L.....[.............debug$S........C...................@..B.idata$2............................@.0..idata$6............................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libpcre.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):90624
                                                                                                                                                                                Entropy (8bit):6.27698072245688
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:RCVwsShqzeV5GgLvNtJCB5gFJ8Zl7TzueeHOAG4dNEDtCh6CBE:ROwsSJV5GoLPFiP7TCeeHOp8YtB8E
                                                                                                                                                                                MD5:4F054B2C3650E37B9CD1CC39C4EB2E8E
                                                                                                                                                                                SHA1:06930BD391261E504596C0F64D44B0C457AA28F4
                                                                                                                                                                                SHA-256:1FAA19FB677D694A954004D0C09BD1B16A87263271EA5EC0042992659FA85A1C
                                                                                                                                                                                SHA-512:D48561D3B4612D0B8D959FD3759A816CB11128BB6D81253B03DB8BC2FEFC4ACF8CE89F3947E34C8BA3847059274012E07CEB92014DD88A45B05C09F1DDF1DACD
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VO&...H...H...H.}X....H.}X....H.}X....H......H...I.0.H.}X....H.}X....H.}X....H.Rich..H.........PE..L.....[...........!................".....................................................@..........................l......<i..<...................................................................ph..@............................................text............................... ..`.rdata..~}.......~..................@..@.data...x....p.......X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libslink.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                Entropy (8bit):4.616056614892387
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:J1zaL+JOWK6kIvpwXvB0qMWJ5x1Y3XYMekSIL3Lo8Dmm:vzo+JOWK3sc5M6M3XYHHIL3NN
                                                                                                                                                                                MD5:14BC81E513A7FB6120961D6F44E03777
                                                                                                                                                                                SHA1:36E9B282B5B428103C32F87B0C1CE56D590209D5
                                                                                                                                                                                SHA-256:E05F61AE4EC2D9EC4B306DAB2E3672FFD139729D0F08EB6F4360F3A7200BBB16
                                                                                                                                                                                SHA-512:3E792A98C1CD54BE1A7B6BE2FCE18F38C489DC6039F64D146E7775FDD2E6F8036AE3E004B3BCDCEF197ADABDFAD5184A30E192BC18061005C54E157A022864CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x...x...x.......{.......y.....&.z...XF.z...x...f.....'.u.......y.......y...Richx...........PE..L.....[...........!................o........ ...............................P............@..........................$..V...l!..<............................@.. .................................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...`....0......................@....reloc..T....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\msvcr100.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):770384
                                                                                                                                                                                Entropy (8bit):6.908020029901359
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                                                MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                                                SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                                                SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                                                SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\removeFiles.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):9216
                                                                                                                                                                                Entropy (8bit):5.432280273703063
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:yabSCrLx6HOI7bdeHFbatuSuzr7iCkLC:nbg+FUuSuH7B
                                                                                                                                                                                MD5:2B33B23FD5A45B1ACB401932D259469B
                                                                                                                                                                                SHA1:F7A01D0036849BE6AE3381B282CC0C6BA1F5942C
                                                                                                                                                                                SHA-256:8C700F40B86A7AC99FF638C8FA42DA8F9CC472C184A39EA8BFD5FAD899F6E9AA
                                                                                                                                                                                SHA-512:51BCC01DC1F41D49EA71E41E34855E0753AA3AD1E58F07A9F4EA2CE2AEC2D5C06C93AFAA254921DC2F874DF29497E5F2A3E5F6CA28293B0A2F26079601946422
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.......6.......6.......6.93....6...7...6.......6.......6.Rich..6.........PE..L.....[............................c........0....@..........................`............@..................................2..<............................P...................................... 2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ssleay32.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):270848
                                                                                                                                                                                Entropy (8bit):6.409278080790753
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:gefvLqSPbFqnJyt8Zwc1VaB4SBjRx7wWhKIhvt6NcJOwz1vBsBbf0INo00bq9Kpk:ge7qSPpqnJytEwc1Vu5BjRxEWhKIhvt0
                                                                                                                                                                                MD5:DCDD3041A03ABCBA60BF51D2E1345133
                                                                                                                                                                                SHA1:9B81D6C3D7F6D16A73222BCB5ACEC231C46B6F6B
                                                                                                                                                                                SHA-256:4BE51BD9D1C4E2EFDF4DA64511352D591748B7E71492FC9E85E901DC37CF03CE
                                                                                                                                                                                SHA-512:8BD431EBE6972A24EC6CDE4DAE062A4D545F4DE966C3A442D87E34E7E80D394533D739EFEC0F39EB2C8B9A3BC3B17B1B0B4BE86D877C1A4E7FA877F056C118C3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r...!...!...!...!...!...!...!..*!...!...!...!...!%..!..+!...!...!...!...!...!...!...!Rich...!........PE..L...Og1Y...........!......................... ...............................`............@.............................p$..L...P.... ..@....................0...#..0&..............................@...@............ ...............................text............................... ..`.rdata..0.... ......................@..@.data....1..........................@....rsrc...@.... ......................@..@.reloc...$...0...&..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\uninstall (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):8329
                                                                                                                                                                                Entropy (8bit):4.990362708041138
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:Mysmv0i6F818NxRBNib8HUjxeUuuIZeMiBWesmeBBQLVGfPzEUHj5v:A+uBmYgHH24Vk7DHN
                                                                                                                                                                                MD5:A4C8DF90B93FD01C6ED33137E9BE7ACC
                                                                                                                                                                                SHA1:E60A19D55267D0B0284E112FAEC0CECF82D61062
                                                                                                                                                                                SHA-256:ECBDEDFCF8D6C88019EC75FC3697BC2D59370042973FE0B5839350D9496B168B
                                                                                                                                                                                SHA-512:F2608AF48C3EFAE58FFC45197BB060933C6129F8A8FCE7580002030D2DAD6E822E85B4B27142AD78B78B632F0BBB566889F3E6DE6D8DA04F9329CAA558017756
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:#!/bin/bash..#..#.uninstall: RDM Appweb uninstall script..#..#.Copyright (c) Embedthis Software LLC, 2003-2014. All Rights Reserved...#..#.Usage: uninstall [configFile]..#..################################################################################....HOME=`pwd`..FMT=....PRODUCT="RDMAppweb"..COMPANY="embedthis"..NAME="RDM Appweb"..VERSION="4.6.0.10"..OS="windows"....ROOT_PREFIX="C:\"..BASE_PREFIX="C:\Program Files"..STATE_PREFIX="C:\Program Files\RDM Appweb"..APP_PREFIX="C:\Program Files\RDM Appweb"..VAPP_PREFIX="C:\Program Files\RDM Appweb"....BIN_PREFIX="C:\Program Files\RDM Appweb\bin"..SBIN_PREFIX="${prefixes.sbin}"..ETC_PREFIX="C:\Program Files\RDM Appweb"..INC_PREFIX="C:\Program Files\RDM Appweb\inc"..LIB_PREFIX="C:\Program Files\RDM Appweb\lib"..MAN_PREFIX="C:\Program Files\RDM Appweb\man"..WEB_PREFIX="C:\Program Files\RDM Appweb\web"..LOG_PREFIX="C:\Program Files\RDM Appweb\log"..SPL_PREFIX="C:\Program Files\RDM Appweb\tmp"..CACHE_PREFIX="C:\Program Files\RDM Appweb\cache"

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_d8f75e92d1eafb54afba47fcb3fb7417.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):10240
                                                                                                                                                                                Entropy (8bit):5.472363161166322
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:ewYNFNZNWNGNlNNNM2a+XgApmQ7xs9HGPGHH3X8PVlD69OeGMskA:ewrGsVXsPVl+
                                                                                                                                                                                MD5:C294956435DAFBB85576411C193194B7
                                                                                                                                                                                SHA1:311B68DC30EEBCEA346F4BB27053C37D6E9B3415
                                                                                                                                                                                SHA-256:AF0079A84FF550D0678E1428CFDF157D0B69437A5F45085F01B049FB0AD8CF0D
                                                                                                                                                                                SHA-512:628BC704A48E5F98E20E92C0FF373A294B49DC6CF2162E06C8E732C5889BDBD48FC50C898F30279785C579310D3B24C6F6C63C290D2A3BAD58F2862C4703E813
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P......L...L...L..gL...L.@hL...L.@jL...L.@_L...L..?L...L...L"..L.@^L...L.@oL...L.@iL...LRich...L........................PE..L....H.T...........!.........................0...............................`............@.........................07..|....1..x............................P..,....................................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....reloc..Z....P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_e1e6248d4d6cd4c6f1780d87dae23f0e.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15360
                                                                                                                                                                                Entropy (8bit):4.764212548874856
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:g4XTbqm6GUVFK9GGxd4oGbeGSe4myxDlZw3XYPVR6y1mctFisjdkSVnB:Hy4bhZQIPV51mcnkSV
                                                                                                                                                                                MD5:44C50541990E65CD71A3B8D488575628
                                                                                                                                                                                SHA1:125174987BC831EB817788D77DD1A3F0045F1330
                                                                                                                                                                                SHA-256:D17FD8F0E530885A9D8107ABF0EC68D133F68BF7873A130E9EDEE13DDA989D50
                                                                                                                                                                                SHA-512:EDA8E569EA33BF7DDB212B038C3B2F2D12F1FF09DE1FC9F8310F6E7E342CA9744C59F4040B496D5C6FBCD3B0B5A8FC4DE1DD88C7A702549E88EDC19DB39C8F56
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.....L...L...L.dfL...L.iL...L.kL...L.^L...Lv.>L...L...L...L._L...L.nL...L.hL...LRich...L........................PE..L....H.T...........!..........[.....f .......0................................\...........@..........................7..}....1..x.............................[.....................................01..@............0...............................text...n........................... ..`.rdata..-....0......................@..@.data....[..@.......$..............@....reloc..D.....[......*..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-O4K4B.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15360
                                                                                                                                                                                Entropy (8bit):4.764212548874856
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:g4XTbqm6GUVFK9GGxd4oGbeGSe4myxDlZw3XYPVR6y1mctFisjdkSVnB:Hy4bhZQIPV51mcnkSV
                                                                                                                                                                                MD5:44C50541990E65CD71A3B8D488575628
                                                                                                                                                                                SHA1:125174987BC831EB817788D77DD1A3F0045F1330
                                                                                                                                                                                SHA-256:D17FD8F0E530885A9D8107ABF0EC68D133F68BF7873A130E9EDEE13DDA989D50
                                                                                                                                                                                SHA-512:EDA8E569EA33BF7DDB212B038C3B2F2D12F1FF09DE1FC9F8310F6E7E342CA9744C59F4040B496D5C6FBCD3B0B5A8FC4DE1DD88C7A702549E88EDC19DB39C8F56
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.....L...L...L.dfL...L.iL...L.kL...L.^L...Lv.>L...L...L...L._L...L.nL...L.hL...LRich...L........................PE..L....H.T...........!..........[.....f .......0................................\...........@..........................7..}....1..x.............................[.....................................01..@............0...............................text...n........................... ..`.rdata..-....0......................@..@.data....[..@.......$..............@....reloc..D.....[......*..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-TRQ2S.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):10240
                                                                                                                                                                                Entropy (8bit):5.472363161166322
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:ewYNFNZNWNGNlNNNM2a+XgApmQ7xs9HGPGHH3X8PVlD69OeGMskA:ewrGsVXsPVl+
                                                                                                                                                                                MD5:C294956435DAFBB85576411C193194B7
                                                                                                                                                                                SHA1:311B68DC30EEBCEA346F4BB27053C37D6E9B3415
                                                                                                                                                                                SHA-256:AF0079A84FF550D0678E1428CFDF157D0B69437A5F45085F01B049FB0AD8CF0D
                                                                                                                                                                                SHA-512:628BC704A48E5F98E20E92C0FF373A294B49DC6CF2162E06C8E732C5889BDBD48FC50C898F30279785C579310D3B24C6F6C63C290D2A3BAD58F2862C4703E813
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P......L...L...L..gL...L.@hL...L.@jL...L.@_L...L..?L...L...L"..L.@^L...L.@oL...L.@iL...LRich...L........................PE..L....H.T...........!.........................0...............................`............@.........................07..|....1..x............................P..,....................................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....reloc..Z....P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\files.log (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1343
                                                                                                                                                                                Entropy (8bit):4.729477215077007
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:ZXM28ykmHFSwMcwa4Lphvo0cwV+whOuiOar9cDCZbyO9WOy:ZXgykYgwMcwasPv9VpMui7JcDSy0W
                                                                                                                                                                                MD5:67EB417F2CFAB6B9CD65A46B2645C0F1
                                                                                                                                                                                SHA1:F70200DC8525716D5ACEAE3F9D1AF0354E6F2AAB
                                                                                                                                                                                SHA-256:7D5012CAD1DC515870406CA7BC1185F234F241BCC052CC1AAF22588D32BF46E8
                                                                                                                                                                                SHA-512:9EEA74E80A76700BA32BBBFF8C3A4E2EE21C92F4028A0190E0E0B75DE6427E584DA4D7C1798A78FB9CCCC4AC984FF4A86D08CB1E77D97DDE7E0E8C28C9C08678
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/Program Files/RDM Appweb/CertMgr.Exe./Program Files/RDM Appweb/LICENSE.TXT./Program Files/RDM Appweb/README.TXT./Program Files/RDM Appweb/Rdm.ico./Program Files/RDM Appweb/appweb.conf./Program Files/RDM Appweb/bin/RDMAppman.exe./Program Files/RDM Appweb/bin/RDMAppweb.exe./Program Files/RDM Appweb/bin/ca.crt./Program Files/RDM Appweb/bin/esp.conf./Program Files/RDM Appweb/bin/install./Program Files/RDM Appweb/bin/libappweb.dll./Program Files/RDM Appweb/bin/libeay32.dll./Program Files/RDM Appweb/bin/libhttp.dll./Program Files/RDM Appweb/bin/libmod_cgi.dll./Program Files/RDM Appweb/bin/libmod_esp.dll./Program Files/RDM Appweb/bin/libmod_ssl.dll./Program Files/RDM Appweb/bin/libmpr.dll./Program Files/RDM Appweb/bin/libmprssl.dll./Program Files/RDM Appweb/bin/libmprssl.lib./Program Files/RDM Appweb/bin/libpcre.dll./Program Files/RDM Appweb/bin/libslink.dll./Program Files/RDM Appweb/bin/msvcr100.dll./Program Files/RDM Appweb/bin/removeFiles.exe./Program Files/RDM Appweb/bin/ssleay32.dll./Pr

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\install.conf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):106
                                                                                                                                                                                Entropy (8bit):5.002092325538369
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:3Q/EzvxmfsNrHO0MS0oXRuho/2CLZhn:9jxT2SRrv
                                                                                                                                                                                MD5:A5C52895B72CDEE08CEF09F58AE06469
                                                                                                                                                                                SHA1:5F7D1CAA54FA6BC7E19A454A43D61EA34F3C287E
                                                                                                                                                                                SHA-256:041AE90E9295260E852C10C30F845ACD7BCD73B58D2CB3F911D34F39829BF8B4
                                                                                                                                                                                SHA-512:0F47822C3707DA644DE3FD933888D9F5622D1C04D648BE289CAA8F2DBEE111A31C2FCD41C29A8FA8AF23FB438FDAA871BC31C97C55AD18906419AB8452AA2FCB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Documents "web".set LOG_DIR "log".set CACHE_DIR "cache".ListenSecure 127.0.0.1:736.ListenSecure [::1]:736.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-14VV1.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PEM certificate
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1574
                                                                                                                                                                                Entropy (8bit):5.905699622879769
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:LrcG/hfz7O7nw+U7KjD0GGicvgUvih9DfJJ/GWb6YUOBceQEjY1CkRi8XJ:LrcGpfz7Snw+U7pGVUwBjGWb69OAR55
                                                                                                                                                                                MD5:CBF5A63CD967ED0D899F0C6D173C0BC6
                                                                                                                                                                                SHA1:FAF581B198C85AB2A57914E21F31BEC7609DC871
                                                                                                                                                                                SHA-256:CFD3AD2B4B7F86FFAD7056078F0490291BE71C5E0A0630F1E45DDE452BA5D81A
                                                                                                                                                                                SHA-512:E6F268F1581691EC4A4BD6B818CCABFA27BA7F07400F1732003C9E5B26865CAF8BAEC2B2EC4BE52BC0E6A4B51C661E851952E946D7BB5FEF764BB3124A315F8A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIEXTCCA0WgAwIBAgIJAK/4uEUcRr/QMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTQxMTEx.MTk0NjIzWhcNMjQxMTA4MTk0NjIzWjCBvDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEYMBYGA1UEAwwPUkRNIERldmljZSBSb290MSIwIAYJKoZIhvcNAQkB.FhNzdXBwb3J0QHJkbWNvcnAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB.CgKCAQEA501CdfXCdhUItY0JA5Y0MJ/TK/OH5UTVicWn+Knyi0GRGNDIh5N9dDeo.5X21bwACHZtHpWwMiL2PcH+hR0dw2Fmf6zDQBYKGeGy6wU7L0b7S8TbyivGW+Ks9.pS4LRQoKnzY6eF9bIxFhbaUBgbq/KJWxQIm4EOXMSejmgmk/Koh9+7P8jVb9kp1S.9AaVDz45j6b/zTkzzR4EP+GVVozWMZN4whDmE2EprxzcCkxr1GY0mEfHxCjLq2il.rF9Mz6Cr1vL19Gu1HxMbdAJSM1qIAxAG5Xbl9oAPzMUHwzdXpLzj9hfhkzqUFV

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-7589H.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:MS Windows icon resource - 1 icon, 64x64, 24 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):12862
                                                                                                                                                                                Entropy (8bit):3.6798341854015195
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:q7KYJRfZ2YR6aRvnR0cORkoCqgR728KRPstRCZRk1RfRvRS24hRk8tCR2mRTkvRu:q7KYJRfZ2YR6aRvnR0cORkoCqgR728Ks
                                                                                                                                                                                MD5:C100FD2F4F4F10D15C0E6C4AFD22686D
                                                                                                                                                                                SHA1:AFE9BFD16D92EBB0CD96DA8054A566172742B2AC
                                                                                                                                                                                SHA-256:5585542C636B944637915F5BE13EC515619103150EC49F576D78DAB66F7503AC
                                                                                                                                                                                SHA-512:0E8E956933DB858F1CBA087A2A194454D3987FB1E14C033D38666637C36A0223E1BC4FFADE3E1725E7DC8F7F022928B4A66B9828E442E7E7BEA1D3DBA5666FE9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......@@......(2......(...@................0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-7UU87.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):187
                                                                                                                                                                                Entropy (8bit):5.181464333881601
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:1qfsNkdZj2/zHJvxMS+dZj2/zHoNi5S/Ek1XZj2/zHBxXRuho/2CFUXYw2n:1vdvekc0lk1QtxBr9UX6n
                                                                                                                                                                                MD5:0EEDCC979E0E69F6797C01C54B9D2ED7
                                                                                                                                                                                SHA1:7512E590C482AEEE98F8B5454A11866CD29ACF5E
                                                                                                                                                                                SHA-256:7591CA2E4526BC241CC623E037DA03130F02C7E186E2B23F046ED132C1E4EF2A
                                                                                                                                                                                SHA-512:5A732CBF50212F5E5DC1F2BE90FCC8BD6CEC0F303D06D32BAD4F04A14EC5D6DFA64D55D6757728D4ABC68A72F3E192415935379642D0FCDA9FFBBF371235EF36
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:set LOG_DIR "C:\Program Files\RDM Appweb\log".set CACHE_DIR "C:\Program Files\RDM Appweb\cache".Documents "C:\Program Files\RDM Appweb\web".ListenSecure 127.0.0.1:736.Listen 127.0.0.1:81.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-9GDOV.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2030
                                                                                                                                                                                Entropy (8bit):4.942123442929845
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:qXhKrzTbpV+JAcrPXGnEiCnvIIewNrfou/1:GhKrz5oSnE/h7Nrfdt
                                                                                                                                                                                MD5:5D84902B4958057D539FE5D59C09CC62
                                                                                                                                                                                SHA1:C6C93EA2F373D2C2229A89D0F10892C783828911
                                                                                                                                                                                SHA-256:2F5640B2D15D8422FD490DAE180F4882C3443C37FF0821D1905395F87338CB48
                                                                                                                                                                                SHA-512:A3407E48FC9043E554414DC31A1ED23D42E6F72C3F0623B72E09BA0A2C387210D3F289BABE5949249E72364BBF4E63E897348EC4C2ECD546536B8DD334B02A39
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:#..# appweb.conf -- Default Configuration for the RDM Appweb HTTP Server..# ....# The order of configuration directives matters as this file is parsed only ..# once. This is a minimal configuration. ....#..# The install.config specifies: Documents, Listen and ListenSecure..#..include install.conf....#..# Define the logging configuration first so errors are logged. This is for..# errors and debug trace for the whole server including virtual hosts. Add ..# a timestamp every 1 hour. This is overridden by appweb command line args...#..ErrorLog "error.log" size=10MB level=2 backup=5 append anew stamp=1hr....#..# The user and group account to run as. The fake name APPWEB will change..# user/group to the Appweb default user/group if running as root/adminstrator...# This is www on MAC, nobody/nogroup on Linux, and administrator on Windows. ..# NOTE: ESP require write access to the cache directory. if you wish ..# to backup log files, you must have write permission to

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-CETMO.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):22445
                                                                                                                                                                                Entropy (8bit):4.756022236735267
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:35QzHCaou+vDy8tRP9v0Di6N9G5q+sP/oppqnd:3SGvprv0Di6N9GM+tp6d
                                                                                                                                                                                MD5:077D74570F3BCDFAF1446A1B10AB477B
                                                                                                                                                                                SHA1:115F6DBC318962C15400B8EAD9499E8997F9A70C
                                                                                                                                                                                SHA-256:ADE6F7E4C5D2B6D1285686ECD968BC4F14AC53E7D568292EA2E4556A81E02072
                                                                                                                                                                                SHA-512:63BF51961888A482A5D9727A9E6D2D5A81AA5492E64CBE15E731944E9036BA396D8DAFB22BCBAE58FFB0FCC4C1894BA527AEA06CED0B719319571801FD0BC501
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:#.# sample.conf -- Sample (Maximal) Configuration for the Embedthis Appweb HTTP Server.# .# This sample demonstrates many directives that can be used in an appweb.conf file..# Do not use this file directly, it is too verbose. Rather cut the sections you need.# into your own, minimal configuration file...#.# Server home directory for Appweb to find configuration files. .# Appweb will change directory to this location when it runs..#.# Home "."..#.# Define the logging configuration first so any errors are logged..# This is for errors and debug trace. This log file is for the whole.# server including virtual hosts. Add a timestamp every 1 hour..# This is overridden by appweb command line args: -v and --log..#.ErrorLog "error.log" size=10MB level=2 backup=5 append anew stamp=1hr..#.# Control the tracing of request and response requests to the error log..# This directive defines the levels at which various events are logged..#.# Log rx conn=5 first=2 headers=3

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-FS5S2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PEM certificate
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1472
                                                                                                                                                                                Entropy (8bit):5.885548451022044
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:LrcC5C/hfz7O7nw+U7KjDxYpxN9OBRtsrtt7vl9cprz9R8mUzsRkq2TIKA7HtnXJ:LrcJpfz7Snw+U7TN9O7urb7typImMsj1
                                                                                                                                                                                MD5:520E74A2B8D63AE554CD91011694C1F2
                                                                                                                                                                                SHA1:EAA9D1A7E63DA0945A94E1983F829BD1D1778902
                                                                                                                                                                                SHA-256:4AF8F1EC7A8207BF3BB6CD2C42A4ED5E9C2D0CEEB6D2D88E7B2C9C980ADD1135
                                                                                                                                                                                SHA-512:415BB2D409BAE76292766288A771AF47BA84C7849637C6A0EA852F4520117C6C78CFA1AED8658218E79C4A0C69A92DC1F197E8B29757695E701D1E97CFDFFAE5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIEETCCAvmgAwIBAgIJAK5EzyUs5u9CMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTcwNDIw.MjAzMzAwWhcNMjcwNDE4MjAzMzAwWjCBoDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEgMB4GA1UEAwwXbG9jYWxob3N0IC0gUkRNIFNjYW5uZXIwggEiMA0G.CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvfQRrBmdXTR9THaoAbeCyLEW3Rd4x.KOGbIwdYQChU69De4u3tX9q7/IU2G3Kjwk1u6Ga3fu/9SFQfRlm6aFPKtXUZG0XM.9E4dpA/n9q/1cCQVAsf8ZYyBT1OHfRRQuqSr9+/smFpipDbCemhQIf3pO+h0kgyp.yw2V8/qHbZ1GZWWAcyC6awTUE1CfQydNqPz3ODzOBMj8WXjC1BFqzaG2a/34hhjN.d3MLqA/XZRS8nWLKKB4ghaTRp55f1V/tVAt9nPSZ7i/a9WG86mD1IOMiqN7X2RDA.BevkEZvBiy3QeCL8aIoPVNmED1jLD6sDBk5o9ntIRN6FEARYQ285ZnkPAgMBAA

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-KS832.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2739
                                                                                                                                                                                Entropy (8bit):4.855747086863456
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:p2KzzQdnd6rIrNIqru6pN47wEbPmh0ThMsgazBCz4t0PiSLbFD/YWJI:p2Kg6rIraqFpwr+h0TWsgaz0Dirn
                                                                                                                                                                                MD5:20AB580E399534B15A80596BF368D082
                                                                                                                                                                                SHA1:354FA14F13DE311A83395B4552179FE2692D73E4
                                                                                                                                                                                SHA-256:168F4FF32F22F24AC210959328322D2C73AFBD245E47BC7060DB68DF6E30C8C8
                                                                                                                                                                                SHA-512:A97137121B6B32D0B203E725CE0C850E97959851F94AB1A23818615166144096A2AD723D7EE89F72253B5D2C81271C8C50C19108D95DA661E7EF10AF44F0CC5B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RdmAppweb....Welcome to the RdmAppweb -- the fastest little web server (from Embedthis..Appweb(TM))....This document contains details regarding the installation procedure for the..binary RdmAppweb package. This package contains pre-built stand-alone web..server and an embeddable HTTP library with headers. ....This software is copyrighted and distributed under license. Please read the..LICENSE.TXT for details.....Table of Contents....* System Requirements..* Installation Package Formats..* Development Environment Platform Support..* Windows Release Details..* Removing RdmAppweb..* Running RdmAppweb..* License and Copyright Information......System Requirements....Operating System Support.... * Windows-7, Windows-8 (x86,x64)....To install RdmAppweb, your system will need at least the following:.... * 10 MB Disk.. * 1 GB RAM....Installation Package Formats....Windows Release Details....To install the Windows Installer image:.... 1. Login with administrator privileges. This is n

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-L1G8K.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2881
                                                                                                                                                                                Entropy (8bit):4.577137481337325
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:7tDhL6n+lQiaCM6olp/HeDaOrdkQu2lY1XhWWNCLG48h0ccxEH6BTyP66raD8uL4:thLNQrf6qk8/iclKxEarLj65
                                                                                                                                                                                MD5:1E2288EE5609BA07EFE10FB9A6EF61B2
                                                                                                                                                                                SHA1:E718F9F52DE5AA7AC9B5F72F3A7D6EE9D2326E30
                                                                                                                                                                                SHA-256:4AE88DA61C928D6F25503628B8CDAF8288CCC3E493FBD9683CA806D0951274AE
                                                                                                                                                                                SHA-512:CB0CEFF46AE4742C66C763A5877251B2490688774C30C48CAC6959BC2352E1F1C6683276FADB844411C474EF6FA51969DDBBE43123D031991883480DF3DF2EC2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:application/javascript js.application/json json.application/mac-binhex40 hqx.application/mac-compactpro cpt.application/msword doc.application/octet-stream bin dms lha lzh exe class so dll jar dmg deb pkg.application/oda oda.application/pdf pdf.application/postscript ai eps ps.application/sdp sdp.application/smil smi smil.application/vnd.mif mif.application/vnd.ms-excel xls.application/vnd.ms-fontobject eof.application/vnd.ms-powerpoint ppt.application/vnd.rn-realmedia rm.application/vnd.wap.wbxml wbxml.application/vnd.wap.wmlc wmlc.application/vnd.wap.wmlscriptc wmlsc.application/x-bcpio bcpio.application/x-bzip2 bz2.application/x-cdlink vcd.application/x-chess-pgn pgn.application/x-cpio cpio.application/x-csh csh.application/x-director dcr dir dxr.application/x-dvi dvi.application/x-font-ttf ttf.application/x-font-opentype otf.application/x-futuresplash spl.application/x-gtar gtar.application/x-gzip gz tgz.application/x-hdf hdf.application/x-kchart chrt.application/x-killustrator kil

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-MFBSD.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1343
                                                                                                                                                                                Entropy (8bit):4.729477215077007
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:ZXM28ykmHFSwMcwa4Lphvo0cwV+whOuiOar9cDCZbyO9WOy:ZXgykYgwMcwasPv9VpMui7JcDSy0W
                                                                                                                                                                                MD5:67EB417F2CFAB6B9CD65A46B2645C0F1
                                                                                                                                                                                SHA1:F70200DC8525716D5ACEAE3F9D1AF0354E6F2AAB
                                                                                                                                                                                SHA-256:7D5012CAD1DC515870406CA7BC1185F234F241BCC052CC1AAF22588D32BF46E8
                                                                                                                                                                                SHA-512:9EEA74E80A76700BA32BBBFF8C3A4E2EE21C92F4028A0190E0E0B75DE6427E584DA4D7C1798A78FB9CCCC4AC984FF4A86D08CB1E77D97DDE7E0E8C28C9C08678
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/Program Files/RDM Appweb/CertMgr.Exe./Program Files/RDM Appweb/LICENSE.TXT./Program Files/RDM Appweb/README.TXT./Program Files/RDM Appweb/Rdm.ico./Program Files/RDM Appweb/appweb.conf./Program Files/RDM Appweb/bin/RDMAppman.exe./Program Files/RDM Appweb/bin/RDMAppweb.exe./Program Files/RDM Appweb/bin/ca.crt./Program Files/RDM Appweb/bin/esp.conf./Program Files/RDM Appweb/bin/install./Program Files/RDM Appweb/bin/libappweb.dll./Program Files/RDM Appweb/bin/libeay32.dll./Program Files/RDM Appweb/bin/libhttp.dll./Program Files/RDM Appweb/bin/libmod_cgi.dll./Program Files/RDM Appweb/bin/libmod_esp.dll./Program Files/RDM Appweb/bin/libmod_ssl.dll./Program Files/RDM Appweb/bin/libmpr.dll./Program Files/RDM Appweb/bin/libmprssl.dll./Program Files/RDM Appweb/bin/libmprssl.lib./Program Files/RDM Appweb/bin/libpcre.dll./Program Files/RDM Appweb/bin/libslink.dll./Program Files/RDM Appweb/bin/msvcr100.dll./Program Files/RDM Appweb/bin/removeFiles.exe./Program Files/RDM Appweb/bin/ssleay32.dll./Pr

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-NPCA2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PEM RSA private key
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1675
                                                                                                                                                                                Entropy (8bit):6.020979289198149
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:LrddS4E21k97ESwa3fDvYt3fT67NHyuDHXYopF6v:Lrdd1EkkJEufDvkmNt7XYopIv
                                                                                                                                                                                MD5:40FE5B7F579DC671E23EEEB6931C1EFF
                                                                                                                                                                                SHA1:79B6EA99A4B4FCF6EF91FF12252A8DBD95252AEC
                                                                                                                                                                                SHA-256:6EF57ED842EF806919FAE0BD1046D3461618E6F6A89645BAE3DCEE508BBB9F41
                                                                                                                                                                                SHA-512:9DB966DD29BAD78BA6DC31CD1A2BE17A02AD0811C89015791B471347461BEB9A80E5C3F9910D7802B94D136A5CF90CD4368987902A360772AF0DB3EBEAB98369
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:-----BEGIN RSA PRIVATE KEY-----.MIIEogIBAAKCAQEAr30EawZnV00fUx2qAG3gsixFt0XeMSjhmyMHWEAoVOvQ3uLt.7V/au/yFNhtyo8JNbuhmt37v/UhUH0ZZumhTyrV1GRtFzPROHaQP5/av9XAkFQLH./GWMgU9Th30UULqkq/fv7JhaYqQ2wnpoUCH96TvodJIMqcsNlfP6h22dRmVlgHMg.umsE1BNQn0MnTaj89zg8zgTI/Fl4wtQRas2htmv9+IYYzXdzC6gP12UUvJ1iyige.IIWk0aeeX9Vf7VQLfZz0me4v2vVhvOpg9SDjIqje19kQwAXr5BGbwYst0Hgi/GiK.D1TZhA9Yyw+rAwZOaPZ7SETehRAEWENvOWZ5DwIDAQABAoIBAC7siuXjTHa3lIyw./egneVGrLOkYsZULjWfiMfCTFzW96JfwrhYu71oc57HUHQ9UwUfKtMyUEK/1Sykh.spR5mQ42/xy7giqPmOOsHuSzvdEvLza/C6KdtLhO8dLkyy3a+nVRUsI86s49grb1.7DahIDfhYQLqmqA8P2G9X1wfH1LXEEvQVs+T6M8vIQbLiJiNhmFC+BMU0ec/7j8m.DF9S1cIp/KtmyRECfiepNaakWvr2HvinhMNg9Lz4HICsfYUX6oM/mlB6hj3jVisp.8/SPepwUQ8mzQhQmXdbrMT0DLosVqgUj2WK/f95m2VzF7PktsagXW0Oqtg2A7FiP.9yB1xYECgYEA5vpJuYw3PPaec+jvm56kxFzO4quctU5tfCuB+gwloYvrACZLY7XN.6Qgk4+xInZtGcVabxhi9xlUlIiTkUf6tDNCsFniWCwRxJfkdB6UxgDP3laJzlZHa.M/2FCVSw56Y3YqRYiqIu9ZSxe572FEp6Q20/nDSR2qF0rd/wLRvox58CgYEAwn/X.cKXk45N60cHFcVQe0wEAj2V505N7mJC2muKNv3b/dcQnl7P65ENU7lS7Fy

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-QOGGG.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):70992
                                                                                                                                                                                Entropy (8bit):5.989810876164699
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:0uOUkO0UXRiKvbVAc5xt3lGnmdYw+WXsA9iYzvyq9rHUq:9OUu3KvbVtxt1Gnmdt+WXsox9oq
                                                                                                                                                                                MD5:2764C3E30034E9469ADBDBBC99BD98E7
                                                                                                                                                                                SHA1:F0014D2FAD0879323DCAFA6086647A21848910EE
                                                                                                                                                                                SHA-256:06F43698A703D3EF346C7FEDD8864452C4052EAB924A450CA1CCB12BC7C97049
                                                                                                                                                                                SHA-512:DE662E143460D44476AF66FDEB7A65699B06F565FED16F77B3776F3487ACCF76EE72016109549813F2C9F8B0DC061708C900FE3AE37C59DB374C4F33A67AAAFA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=[.eS..eS..eS......eS......eS......eS..eR..eS......eS...-..eS......eS......eS.Rich.eS.................PE..L... .[J.....................................................................@......C.....@...... ......................................xW..............P....0..........................................@............................................text...f........................... ..`.data....(..........................@....rsrc...xW.......X..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-VNHKJ.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16260
                                                                                                                                                                                Entropy (8bit):4.756487759189681
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:NCr4rCni5BdEHu6VroqId0EesZ/8eMeWp:c0e6vEvfLw9fWp
                                                                                                                                                                                MD5:0699CA05F3648A1D38EC1B0493D6716E
                                                                                                                                                                                SHA1:1FD90589878EBF967399405193A6BCC8424484FE
                                                                                                                                                                                SHA-256:1656F2398978E0C7E06784A5706C49D57E54E073FB656D3728C7BCF97300D3E5
                                                                                                                                                                                SHA-512:3E7D568E40BDB1BEBA86F0978600BA033C3DD9C6589490AEC6CF8F10E8F1F461DFB566377036B4DACFC3F7299B8D75B223AB238458E76E27C17A5A9BEBF2E973
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Embedthis Appweb GPL License Agreement....This software is licensed according to the provisions of GNU GENERAL PUBLIC..LICENSE below. ....Commercial license are also available for those who require them. The..Embedthis Commercial License, allows you to provide commercial software..licenses for products containing Embedthis software. This is for individuals or..organizations that do not want to release their source code as open source /..free software as governed by the GPL license below. For more information on..licensing, please see:....http://embedthis.com/downloads/licensing.html....Some components of the sofware are licensed from third parties. See the end of..this document for a list of licensed third party software.....GNU GENERAL PUBLIC LICENSE, Version 2, June 1991.....Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite..330, Boston, MA 02111-1307 USA....Everyone is permitted to copy and distribute verbatim copies of this license..document, but ch

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\log\error.log

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1000
                                                                                                                                                                                Entropy (8bit):4.889712884379908
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:1PL9MPmGpPoKHPBhBPxcNPjTPDPMCHPP1e8PmGpPtPsUPPPUIhDPUihDcY4LMbUK:duDB7vB3cPr/v9DBFswHbhrVhswYK
                                                                                                                                                                                MD5:7E156B08E062A82EBE52CC96BC676351
                                                                                                                                                                                SHA1:6DBA13B151FE124FF38424710D68C6583426912D
                                                                                                                                                                                SHA-256:2F442350E4C9CB214DDDCA54EA56D70A0B79CF8A7A146402B17DA9E6CF71B7F0
                                                                                                                                                                                SHA-512:4F84C0F0C8618164C6C3F6A8A47A2FF972CDD7ED902891A07FC474E5E25F66B9621249661CBA5470746F0A47705E75A7DF5535B9A8F5A31B712ED157E58C40E0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RDMAppweb: 2: Configuration for RDM Corporation RDMAppweb..RDMAppweb: 2: ---------------------------------------------..RDMAppweb: 2: Version: 4.6.0.10..RDMAppweb: 2: BuildType: Release..RDMAppweb: 2: CPU: x86..RDMAppweb: 2: OS: windows..RDMAppweb: 2: Host: 820094..RDMAppweb: 2: Directory: C:\Program Files (x86)\RDM Corporation\RDM Appweb..RDMAppweb: 2: Configure: me configure --nocross --release --platform windows-x86-default --with openssl=C:/openssl-1.0.1h --with esp --without sqlite --without est..RDMAppweb: 2: ---------------------------------------------..RDMAppweb: 2: Loading native module libmod_ssl.dll..RDMAppweb: 2: Loading native module libmod_esp.dll..RDMAppweb: 2: Loading native module RDMDA.dll..RDMAppweb: 2: Started HTTPS service on "127.0.0.1:736"..RDMAppweb: 2: Started HTTPS service on "[::1]:736"..RDMAppweb: 1: Started at Thu Oct 31 14:35:42 2024 Eastern Summer Time with max 1 threads..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\log\error.log.0 (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1000
                                                                                                                                                                                Entropy (8bit):4.889712884379908
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:1PL9MPmGpPoKHPBhBPxcNPjTPDPMCHPP1e8PmGpPtPsUPPPUIhDPUihDcY4LMbUK:duDB7vB3cPr/v9DBFswHbhrVhswYK
                                                                                                                                                                                MD5:7E156B08E062A82EBE52CC96BC676351
                                                                                                                                                                                SHA1:6DBA13B151FE124FF38424710D68C6583426912D
                                                                                                                                                                                SHA-256:2F442350E4C9CB214DDDCA54EA56D70A0B79CF8A7A146402B17DA9E6CF71B7F0
                                                                                                                                                                                SHA-512:4F84C0F0C8618164C6C3F6A8A47A2FF972CDD7ED902891A07FC474E5E25F66B9621249661CBA5470746F0A47705E75A7DF5535B9A8F5A31B712ED157E58C40E0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:RDMAppweb: 2: Configuration for RDM Corporation RDMAppweb..RDMAppweb: 2: ---------------------------------------------..RDMAppweb: 2: Version: 4.6.0.10..RDMAppweb: 2: BuildType: Release..RDMAppweb: 2: CPU: x86..RDMAppweb: 2: OS: windows..RDMAppweb: 2: Host: 820094..RDMAppweb: 2: Directory: C:\Program Files (x86)\RDM Corporation\RDM Appweb..RDMAppweb: 2: Configure: me configure --nocross --release --platform windows-x86-default --with openssl=C:/openssl-1.0.1h --with esp --without sqlite --without est..RDMAppweb: 2: ---------------------------------------------..RDMAppweb: 2: Loading native module libmod_ssl.dll..RDMAppweb: 2: Loading native module libmod_esp.dll..RDMAppweb: 2: Loading native module RDMDA.dll..RDMAppweb: 2: Started HTTPS service on "127.0.0.1:736"..RDMAppweb: 2: Started HTTPS service on "[::1]:736"..RDMAppweb: 1: Started at Thu Oct 31 14:35:42 2024 Eastern Summer Time with max 1 threads..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\mime.types (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2881
                                                                                                                                                                                Entropy (8bit):4.577137481337325
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:7tDhL6n+lQiaCM6olp/HeDaOrdkQu2lY1XhWWNCLG48h0ccxEH6BTyP66raD8uL4:thLNQrf6qk8/iclKxEarLj65
                                                                                                                                                                                MD5:1E2288EE5609BA07EFE10FB9A6EF61B2
                                                                                                                                                                                SHA1:E718F9F52DE5AA7AC9B5F72F3A7D6EE9D2326E30
                                                                                                                                                                                SHA-256:4AE88DA61C928D6F25503628B8CDAF8288CCC3E493FBD9683CA806D0951274AE
                                                                                                                                                                                SHA-512:CB0CEFF46AE4742C66C763A5877251B2490688774C30C48CAC6959BC2352E1F1C6683276FADB844411C474EF6FA51969DDBBE43123D031991883480DF3DF2EC2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:application/javascript js.application/json json.application/mac-binhex40 hqx.application/mac-compactpro cpt.application/msword doc.application/octet-stream bin dms lha lzh exe class so dll jar dmg deb pkg.application/oda oda.application/pdf pdf.application/postscript ai eps ps.application/sdp sdp.application/smil smi smil.application/vnd.mif mif.application/vnd.ms-excel xls.application/vnd.ms-fontobject eof.application/vnd.ms-powerpoint ppt.application/vnd.rn-realmedia rm.application/vnd.wap.wbxml wbxml.application/vnd.wap.wmlc wmlc.application/vnd.wap.wmlscriptc wmlsc.application/x-bcpio bcpio.application/x-bzip2 bz2.application/x-cdlink vcd.application/x-chess-pgn pgn.application/x-cpio cpio.application/x-csh csh.application/x-director dcr dir dxr.application/x-dvi dvi.application/x-font-ttf ttf.application/x-font-opentype otf.application/x-futuresplash spl.application/x-gtar gtar.application/x-gzip gz tgz.application/x-hdf hdf.application/x-kchart chrt.application/x-killustrator kil

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\rdm.crt (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PEM certificate
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1472
                                                                                                                                                                                Entropy (8bit):5.885548451022044
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:LrcC5C/hfz7O7nw+U7KjDxYpxN9OBRtsrtt7vl9cprz9R8mUzsRkq2TIKA7HtnXJ:LrcJpfz7Snw+U7TN9O7urb7typImMsj1
                                                                                                                                                                                MD5:520E74A2B8D63AE554CD91011694C1F2
                                                                                                                                                                                SHA1:EAA9D1A7E63DA0945A94E1983F829BD1D1778902
                                                                                                                                                                                SHA-256:4AF8F1EC7A8207BF3BB6CD2C42A4ED5E9C2D0CEEB6D2D88E7B2C9C980ADD1135
                                                                                                                                                                                SHA-512:415BB2D409BAE76292766288A771AF47BA84C7849637C6A0EA852F4520117C6C78CFA1AED8658218E79C4A0C69A92DC1F197E8B29757695E701D1E97CFDFFAE5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIEETCCAvmgAwIBAgIJAK5EzyUs5u9CMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTcwNDIw.MjAzMzAwWhcNMjcwNDE4MjAzMzAwWjCBoDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEgMB4GA1UEAwwXbG9jYWxob3N0IC0gUkRNIFNjYW5uZXIwggEiMA0G.CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvfQRrBmdXTR9THaoAbeCyLEW3Rd4x.KOGbIwdYQChU69De4u3tX9q7/IU2G3Kjwk1u6Ga3fu/9SFQfRlm6aFPKtXUZG0XM.9E4dpA/n9q/1cCQVAsf8ZYyBT1OHfRRQuqSr9+/smFpipDbCemhQIf3pO+h0kgyp.yw2V8/qHbZ1GZWWAcyC6awTUE1CfQydNqPz3ODzOBMj8WXjC1BFqzaG2a/34hhjN.d3MLqA/XZRS8nWLKKB4ghaTRp55f1V/tVAt9nPSZ7i/a9WG86mD1IOMiqN7X2RDA.BevkEZvBiy3QeCL8aIoPVNmED1jLD6sDBk5o9ntIRN6FEARYQ285ZnkPAgMBAA

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\rdm.key (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PEM RSA private key
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1675
                                                                                                                                                                                Entropy (8bit):6.020979289198149
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:LrddS4E21k97ESwa3fDvYt3fT67NHyuDHXYopF6v:Lrdd1EkkJEufDvkmNt7XYopIv
                                                                                                                                                                                MD5:40FE5B7F579DC671E23EEEB6931C1EFF
                                                                                                                                                                                SHA1:79B6EA99A4B4FCF6EF91FF12252A8DBD95252AEC
                                                                                                                                                                                SHA-256:6EF57ED842EF806919FAE0BD1046D3461618E6F6A89645BAE3DCEE508BBB9F41
                                                                                                                                                                                SHA-512:9DB966DD29BAD78BA6DC31CD1A2BE17A02AD0811C89015791B471347461BEB9A80E5C3F9910D7802B94D136A5CF90CD4368987902A360772AF0DB3EBEAB98369
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:-----BEGIN RSA PRIVATE KEY-----.MIIEogIBAAKCAQEAr30EawZnV00fUx2qAG3gsixFt0XeMSjhmyMHWEAoVOvQ3uLt.7V/au/yFNhtyo8JNbuhmt37v/UhUH0ZZumhTyrV1GRtFzPROHaQP5/av9XAkFQLH./GWMgU9Th30UULqkq/fv7JhaYqQ2wnpoUCH96TvodJIMqcsNlfP6h22dRmVlgHMg.umsE1BNQn0MnTaj89zg8zgTI/Fl4wtQRas2htmv9+IYYzXdzC6gP12UUvJ1iyige.IIWk0aeeX9Vf7VQLfZz0me4v2vVhvOpg9SDjIqje19kQwAXr5BGbwYst0Hgi/GiK.D1TZhA9Yyw+rAwZOaPZ7SETehRAEWENvOWZ5DwIDAQABAoIBAC7siuXjTHa3lIyw./egneVGrLOkYsZULjWfiMfCTFzW96JfwrhYu71oc57HUHQ9UwUfKtMyUEK/1Sykh.spR5mQ42/xy7giqPmOOsHuSzvdEvLza/C6KdtLhO8dLkyy3a+nVRUsI86s49grb1.7DahIDfhYQLqmqA8P2G9X1wfH1LXEEvQVs+T6M8vIQbLiJiNhmFC+BMU0ec/7j8m.DF9S1cIp/KtmyRECfiepNaakWvr2HvinhMNg9Lz4HICsfYUX6oM/mlB6hj3jVisp.8/SPepwUQ8mzQhQmXdbrMT0DLosVqgUj2WK/f95m2VzF7PktsagXW0Oqtg2A7FiP.9yB1xYECgYEA5vpJuYw3PPaec+jvm56kxFzO4quctU5tfCuB+gwloYvrACZLY7XN.6Qgk4+xInZtGcVabxhi9xlUlIiTkUf6tDNCsFniWCwRxJfkdB6UxgDP3laJzlZHa.M/2FCVSw56Y3YqRYiqIu9ZSxe572FEp6Q20/nDSR2qF0rd/wLRvox58CgYEAwn/X.cKXk45N60cHFcVQe0wEAj2V505N7mJC2muKNv3b/dcQnl7P65ENU7lS7Fy

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\rdmroot.pem (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PEM certificate
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1574
                                                                                                                                                                                Entropy (8bit):5.905699622879769
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:LrcG/hfz7O7nw+U7KjD0GGicvgUvih9DfJJ/GWb6YUOBceQEjY1CkRi8XJ:LrcGpfz7Snw+U7pGVUwBjGWb69OAR55
                                                                                                                                                                                MD5:CBF5A63CD967ED0D899F0C6D173C0BC6
                                                                                                                                                                                SHA1:FAF581B198C85AB2A57914E21F31BEC7609DC871
                                                                                                                                                                                SHA-256:CFD3AD2B4B7F86FFAD7056078F0490291BE71C5E0A0630F1E45DDE452BA5D81A
                                                                                                                                                                                SHA-512:E6F268F1581691EC4A4BD6B818CCABFA27BA7F07400F1732003C9E5B26865CAF8BAEC2B2EC4BE52BC0E6A4B51C661E851952E946D7BB5FEF764BB3124A315F8A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIEXTCCA0WgAwIBAgIJAK/4uEUcRr/QMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTQxMTEx.MTk0NjIzWhcNMjQxMTA4MTk0NjIzWjCBvDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEYMBYGA1UEAwwPUkRNIERldmljZSBSb290MSIwIAYJKoZIhvcNAQkB.FhNzdXBwb3J0QHJkbWNvcnAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB.CgKCAQEA501CdfXCdhUItY0JA5Y0MJ/TK/OH5UTVicWn+Knyi0GRGNDIh5N9dDeo.5X21bwACHZtHpWwMiL2PcH+hR0dw2Fmf6zDQBYKGeGy6wU7L0b7S8TbyivGW+Ks9.pS4LRQoKnzY6eF9bIxFhbaUBgbq/KJWxQIm4EOXMSejmgmk/Koh9+7P8jVb9kp1S.9AaVDz45j6b/zTkzzR4EP+GVVozWMZN4whDmE2EprxzcCkxr1GY0mEfHxCjLq2il.rF9Mz6Cr1vL19Gu1HxMbdAJSM1qIAxAG5Xbl9oAPzMUHwzdXpLzj9hfhkzqUFV

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\is-55LVF.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4995416
                                                                                                                                                                                Entropy (8bit):7.998905724333139
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:98304:TsPj6quMBYyuSFOMKykvYgS/ylTpHufHMpPbOZ39c7T3eeom2vJtPShg:wPjzayuSgMKykQgSaTkvMxEYT3OfPShg
                                                                                                                                                                                MD5:CEDE02D7AF62449A2C38C49ABECC0CD3
                                                                                                                                                                                SHA1:B84B83A8A6741A17BFB5F3578B983C1DE512589D
                                                                                                                                                                                SHA-256:66B797B3B4F99488F53C2B676610DFE9868984C779536891A8D8F73EE214BC4B
                                                                                                                                                                                SHA-512:D2D99E06D49A5990B449CF31D82A33104A6B45164E76FBEB34C43D10BCD25C3622AF52E59A2D4B7F5F45F83C3BA4D23CF1A5FC0C03B3606F42426988E63A9770
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................L.......... ..................................................."L.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............K.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\vcredist_x86.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4995416
                                                                                                                                                                                Entropy (8bit):7.998905724333139
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:98304:TsPj6quMBYyuSFOMKykvYgS/ylTpHufHMpPbOZ39c7T3eeom2vJtPShg:wPjzayuSgMKykQgSaTkvMxEYT3OfPShg
                                                                                                                                                                                MD5:CEDE02D7AF62449A2C38C49ABECC0CD3
                                                                                                                                                                                SHA1:B84B83A8A6741A17BFB5F3578B983C1DE512589D
                                                                                                                                                                                SHA-256:66B797B3B4F99488F53C2B676610DFE9868984C779536891A8D8F73EE214BC4B
                                                                                                                                                                                SHA-512:D2D99E06D49A5990B449CF31D82A33104A6B45164E76FBEB34C43D10BCD25C3622AF52E59A2D4B7F5F45F83C3BA4D23CF1A5FC0C03B3606F42426988E63A9770
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................L.......... ..................................................."L.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............K.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\sample.conf (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):22445
                                                                                                                                                                                Entropy (8bit):4.756022236735267
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:35QzHCaou+vDy8tRP9v0Di6N9G5q+sP/oppqnd:3SGvprv0Di6N9GM+tp6d
                                                                                                                                                                                MD5:077D74570F3BCDFAF1446A1B10AB477B
                                                                                                                                                                                SHA1:115F6DBC318962C15400B8EAD9499E8997F9A70C
                                                                                                                                                                                SHA-256:ADE6F7E4C5D2B6D1285686ECD968BC4F14AC53E7D568292EA2E4556A81E02072
                                                                                                                                                                                SHA-512:63BF51961888A482A5D9727A9E6D2D5A81AA5492E64CBE15E731944E9036BA396D8DAFB22BCBAE58FFB0FCC4C1894BA527AEA06CED0B719319571801FD0BC501
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:#.# sample.conf -- Sample (Maximal) Configuration for the Embedthis Appweb HTTP Server.# .# This sample demonstrates many directives that can be used in an appweb.conf file..# Do not use this file directly, it is too verbose. Rather cut the sections you need.# into your own, minimal configuration file...#.# Server home directory for Appweb to find configuration files. .# Appweb will change directory to this location when it runs..#.# Home "."..#.# Define the logging configuration first so any errors are logged..# This is for errors and debug trace. This log file is for the whole.# server including virtual hosts. Add a timestamp every 1 hour..# This is overridden by appweb command line args: -v and --log..#.ErrorLog "error.log" size=10MB level=2 backup=5 append anew stamp=1hr..#.# Control the tracing of request and response requests to the error log..# This directive defines the levels at which various events are logged..#.# Log rx conn=5 first=2 headers=3

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSDownloadAgent.html (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with very long lines (608), with CRLF, LF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):25248
                                                                                                                                                                                Entropy (8bit):4.535394761469598
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:GxehBcD+eqacKS2MKfeJNzG51IBRXXRuaKlpNAiANMW++Ecq:Gxe/cDGacKS2ri9NBu3Ao
                                                                                                                                                                                MD5:41E3D157C9F798864CF43D5D06B1B9B0
                                                                                                                                                                                SHA1:A21EEBBBB4731FC3CDDC7D991B0F09DF98CA38E9
                                                                                                                                                                                SHA-256:82E4E1E2308985217975220A67F77CA88C5314D6596B936651F1F276C84FE705
                                                                                                                                                                                SHA-512:976504083CDA58FE2AEF13B7E8F0F55B37B3AF83AA9A32EAAB0F5282DBA110C8D8B32DF7E270F613113E2B5FC1E2E97CE031F41DD209F438771DA37C28327A37
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>ITMS Download Agent</title>.. .. <script>.. if(!window.jQuery).. {.. // must be loading this page outside of our index page, need to load jquery.. var link = document.createElement('link');.. link.rel = "stylesheet";.. link.type = "text/css";.. link.href = "css/smoothness/jquery-ui-1.10.4.custom.min.css";.. document.getElementsByTagName('head')[0].appendChild(link);.... var script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-1.11.1.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-ui-1.10.4.custom.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. }.. </script>.... <script src="js/RDMFileDownload.js

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSEndorsing.html (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11622
                                                                                                                                                                                Entropy (8bit):4.857450404916044
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:yfH0r8C1rCUXDcHoHl6mHLCMXTBXcSfcxH0:y/0r8QrCUXDael68LCMXFMSfcxH0
                                                                                                                                                                                MD5:5459FAA5C92FBC7A4BABDF42DA898D0C
                                                                                                                                                                                SHA1:DC869A04188C349EF196FF28712BE5FF688277EA
                                                                                                                                                                                SHA-256:2B06B69E50F0A6208494783389A1982B0A37B3F0DDD998BB75A7F99761ED1A3C
                                                                                                                                                                                SHA-512:6BE248A7054DF13EF5FD4ABE668C5449C6F1278E1CBAAFF7E7251C605BB7DFF2C6803A1409466A346335BA844A3D8CFCD09DE57E0152C8FDB6C56F533F51FA6F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>Endorsement Settings</title>.. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>.. <script id="endorsementsJS" type="text/javascript">...... var sharedObject;.... function OnEndorseSettingsPageLoad() {.. if (window.showModalDialog) {.. sharedObject = window.dialogArguments;.. }.. else {.. sharedObject = window.opener.GetDialogArguments(); // callback to get object.. }.... var DeviceID = sharedObject.document.getElementById("DeviceID");.. var configXML = "<additionaldata>";.. configXML = configXML + sharedObject.GetScannerConfiguration(DeviceID.options[DeviceID.selectedIndex].value, false);.. configXML = configXML + "</additionaldata>";.. var xmlDoc = $.parseXML(configXML);.... $physicalEndorsement = $(xmlDoc).find("PhysicalEn

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSMiscSettings.html (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15622
                                                                                                                                                                                Entropy (8bit):4.652831581163575
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:Oz7Ef0HdBrYjW17UKvyP5FUyWUnndXMNMasqve7mwm1Crxyw4:OsSdBrYjW17UKv65FUyWEndXMarZ4
                                                                                                                                                                                MD5:4E586642F7781A6E3CAF7898F93F1FED
                                                                                                                                                                                SHA1:40B52B3CF2808073270AFBCCA9830BC395062B83
                                                                                                                                                                                SHA-256:CDD71A5656EBF218BB2D94457D2930DC79D81F899B2A3D8A3A1634442554F6C8
                                                                                                                                                                                SHA-512:6ADB03888A5B2363AD842738AE4D323EF7E712534FFCAE82B5F2E87106A39EADB12D010261258C480821B0EA3543A6937D77046776DF78B020A9C6D34C7E897B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>Additional Settings</title>.. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>.. <script id="miscsettingsJS" type="text/javascript">...... var sharedObject;.... function OnMiscSettingsPageLoad() {.. if (window.showModalDialog) {.. sharedObject = window.dialogArguments;.. }.. else {.. sharedObject = window.opener.GetDialogArguments(); // callback to get object.. }.... var DeviceID = sharedObject.document.getElementById("DeviceID");.... // disable any invalid options.. chkWantCodeline.disabled = true;.. chkCropImage.disabled = true;.. var ScannerVendor = sharedObject.document.getElementById("ScannerModel");.. //if (ScannerVendor.value != "SCI") {.. // RemoveSelectByValue("ReturnedImages", "front,rear,auxFront,aux

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSScanner.html (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):43367
                                                                                                                                                                                Entropy (8bit):4.531521815386101
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:qxe4deVLSh44rBLEXrGaaNmKS2Cg2sMGgxJTt3g38kos0u6rZjASgLq0w:qxe4DJNmKS2VMNZtuoZH
                                                                                                                                                                                MD5:7FA0B7B0DC9284A17618C73FDD20A983
                                                                                                                                                                                SHA1:2A2162A4998AC8C3AAE349392E6E9BBF03C9E42E
                                                                                                                                                                                SHA-256:44E7EF139E5DFD4EFEE3A806C0C56B45814096CC2183E4E05877FAC5226436B6
                                                                                                                                                                                SHA-512:A005D9CED8CBFA903020FFE1E0129F1253B8C7FBE6012884B0C4818F170E9DCE2ED30684FDC353D3ED145FD12FB43E76691F5A49A1128D5AD42AAA1197CE1C06
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <title>ITMS Scanner</title>.. .. <script>.. if(!window.jQuery).. {.. // must be loading this page outside of our index page, need to load jquery.. var link = document.createElement('link');.. link.rel = "stylesheet";.. link.type = "text/css";.. link.href = "css/smoothness/jquery-ui-1.10.4.custom.min.css";.. document.getElementsByTagName('head')[0].appendChild(link);.... var script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-1.11.1.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-ui-1.10.4.custom.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. }..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSScannerCommandTest.html (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3838
                                                                                                                                                                                Entropy (8bit):5.088460692091686
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:BeuhLvClxA2HwBuE/Yjw/2lg6Y182BoNBdutalj2lxArHw32ly6Y182BoNB6kY0w:BJvl5BuU22QrpE32oQOK2ghdfgBfp
                                                                                                                                                                                MD5:F108F9ADD9825EB6AAE9F5297536C2C9
                                                                                                                                                                                SHA1:EF4D740B1105D5206978D34792E872D3A8A407E9
                                                                                                                                                                                SHA-256:3E7398F9667561DD5FB5CD0A1F5D5D0DF8A7F35D727B0019A21E10961A77B542
                                                                                                                                                                                SHA-512:B5B3C624E99C8AC61EB3E0B96F3A36D5ECA484D4BD33235667053CEF26C57FFEF3107859CB38939EB3F999ABF2A59CF91029985D1DDD689EACFBB70211C630E9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<html>..<head>..<script language="JavaScript" type="text/javascript">.... var SCM_Test_User="SCM_Test_Command";.. var SCM_Test_Host="https://localhost:736/SCM/4.0/scm.esp";.// Default......function scm_cmd_post(func, parm) // Post async request and let event do update..{.. var hr = new XMLHttpRequest();.....// Access the onerror event for the XMLHttpRequest object.. hr.onerror = function() {....alert("Error: Failed Accessing Device Interface !!");...}.... hr.open("POST", SCM_Test_Host, true);.... // Set content type header information for sending url encoded variables in the request.. hr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");.... // Access the onreadystatechange event for the XMLHttpRequest object.. hr.onreadystatechange = function() {... if (hr.readyState == 4 && hr.status == 200) {.... var return_data = hr.responseText;.....document.getElementById("txtTestResponse").value = "Async Post Result:\r\n"+return_data;...

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\SapiSample.html (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):42675
                                                                                                                                                                                Entropy (8bit):4.637657121816673
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:iLFkJLEsm17ztfMlzzCqd3R0WgrOMSKP/3Sx9TbUkcCDESxDME/Ogr+GN5J6eZ36:iLFQyQ394k5DX+/s8FAdVghXFi8NifMF
                                                                                                                                                                                MD5:CFE3EFB0072A24800CE4CD451B1908EF
                                                                                                                                                                                SHA1:E4E910E982F559E8B98E37C7303DE15DD7B88FEB
                                                                                                                                                                                SHA-256:FD62ACB879187BC4754E692109F0A6C4A11CBD0258992AD4159E2A3AB0B27BAE
                                                                                                                                                                                SHA-512:198237443B841DDC84BFEC25B79885BBF1B5D49F15783BFE8DE351E4AE72B2276C37D335417E90C549E4E7A9A0C19FFA738C0190864FACBF9BD484DDBEA99783
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>.<html lang="en">.<head>. <meta charset="utf-8" />. <meta http-equiv="Content-Type" content="text/html;charset=utf-8">. <meta http-equiv="Cache-control" content="no-store, no-cache, must-revalidate">. <meta name="description" content="SCM SAPI Scanner Test for QE">. <meta name="author" content="Frank McGovern - RDM Corporation a Deluxe Company">. <style>. #RecoveryDiv {. width: 720px;. padding: 5px 0;. text-align: center;. background-color: lightblue;. margin-top: 5px;. }. </style>.. <title>SCM SAPI Scanner Test</title>. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>. <script type="text/javascript" src="js/jquery-ui-1.10.4.custom.min.js"></script>. <script type="text/javascript" src="js/sapi.js"></script>. <script type="text/javascript" src="js/sapiconstants.js"></script>.. <link type="text/css" rel="stylesheet" href="css/qescm.css">.. <s

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\ADKSCI-7.1.css (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2693
                                                                                                                                                                                Entropy (8bit):5.04899888145215
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:WtWxeBwedOzuw9nvl3Go2nXBCuRBLvump4NDCGd+jEBN9aJ07WmcWdCLv93gz:WE0Yl4nRFL4NDCGojouJduglW
                                                                                                                                                                                MD5:13D4B9D21C71A89FC9EA4C351910F2E2
                                                                                                                                                                                SHA1:0AF352061C6C29F10398B0F8E2FB3B2B3DA6B072
                                                                                                                                                                                SHA-256:E8A691D35F929C64B5BC604BA580F35D531419493CE8CFB781EF13AEB6E019D2
                                                                                                                                                                                SHA-512:BD0D0F8BFAEA198D73A3D68BE315F623171985CBB27A1248FBE8A31CAE72FB97FA6D0ED10E10BEDF5D9DACBA87CE3656E2F0855339638A25E111D185E9D23480
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:* html body{}..html{}..body{...width: 100%;...height:100%;....padding:0;...margin:0;...font-family:helvetica,sans-serif;...background-color:#f2f2f2;..}....li a{...outline:none;..}....#wrapper{...min-height:100%;...position:relative;...background-color:#ffffff;..}....#topNav{...color:#ffffff;...background-color:#002341;...height:32px;...width:100%..}....#topLink{...list-style:none;...float:right;...margin-top:7px;...margin-right:120px;...font-size:15px;..}....#topLink li{...display:inline;...margin-left:20px;..}....#topLink a{...display:inline;...color:#ffffff;...text-decoration:none;...padding:7px;..}....#topLink a:hover{...text-decoration:none;...color:#ffffff;...background-color:#085472;..}.....inner{...max-width:960px;...min-width:480px;...margin-left:20px;...margin-right:auto;..}....#topBreak{...width:100%;...height:100px;..}....#topLogo{...margin-top:25px;...margin-left:25px;..}....#mainContent{...min-height:100px;...max-height:1200px;...width:100%;...background-color:#ffffff;...p

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\is-F4A8G.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2693
                                                                                                                                                                                Entropy (8bit):5.04899888145215
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:WtWxeBwedOzuw9nvl3Go2nXBCuRBLvump4NDCGd+jEBN9aJ07WmcWdCLv93gz:WE0Yl4nRFL4NDCGojouJduglW
                                                                                                                                                                                MD5:13D4B9D21C71A89FC9EA4C351910F2E2
                                                                                                                                                                                SHA1:0AF352061C6C29F10398B0F8E2FB3B2B3DA6B072
                                                                                                                                                                                SHA-256:E8A691D35F929C64B5BC604BA580F35D531419493CE8CFB781EF13AEB6E019D2
                                                                                                                                                                                SHA-512:BD0D0F8BFAEA198D73A3D68BE315F623171985CBB27A1248FBE8A31CAE72FB97FA6D0ED10E10BEDF5D9DACBA87CE3656E2F0855339638A25E111D185E9D23480
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:* html body{}..html{}..body{...width: 100%;...height:100%;....padding:0;...margin:0;...font-family:helvetica,sans-serif;...background-color:#f2f2f2;..}....li a{...outline:none;..}....#wrapper{...min-height:100%;...position:relative;...background-color:#ffffff;..}....#topNav{...color:#ffffff;...background-color:#002341;...height:32px;...width:100%..}....#topLink{...list-style:none;...float:right;...margin-top:7px;...margin-right:120px;...font-size:15px;..}....#topLink li{...display:inline;...margin-left:20px;..}....#topLink a{...display:inline;...color:#ffffff;...text-decoration:none;...padding:7px;..}....#topLink a:hover{...text-decoration:none;...color:#ffffff;...background-color:#085472;..}.....inner{...max-width:960px;...min-width:480px;...margin-left:20px;...margin-right:auto;..}....#topBreak{...width:100%;...height:100px;..}....#topLogo{...margin-top:25px;...margin-left:25px;..}....#mainContent{...min-height:100px;...max-height:1200px;...width:100%;...background-color:#ffffff;...p

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\is-FUCSS.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):677
                                                                                                                                                                                Entropy (8bit):4.695614879709572
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:UgOIOw2saGoBPjKzoGDvxl3N/ar/rJRnEmlaX6VFBTe6NIZ:7yjPylaMAk
                                                                                                                                                                                MD5:1F0FC0CD5EAF79E6418F468D9CC6678A
                                                                                                                                                                                SHA1:0FADFFC0A4871C634C8DBDCC07B76970B3865E40
                                                                                                                                                                                SHA-256:18FEB6098A29EB0CB98BEA31049D01FC616C430F7BB0A2203277B6C173ED1B3C
                                                                                                                                                                                SHA-512:0670DA5463F046889AB3A14BA97541E9A0E6183E3D25F1EDB0F7E9AAD5C2C382138A9115711FCF30B60D3DCCC7A90B50CCDF9367AB606DF77682A4A95A11292C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/* Style the tab */...tab {.. overflow: hidden;.. border: 1px solid #ccc;.. background-color: #f1f1f1;..}..../* Style the buttons that are used to open the tab content */...tab button {.. background-color: inherit;.. float: left;.. border: none;.. outline: none;.. cursor: pointer;.. padding: 14px 16px;.. transition: 0.3s;..}..../* Change background color of buttons on hover */...tab button:hover {.. background-color: #ddd;..}..../* Create an active/current tablink class */...tab button.active {.. background-color: #ccc;..}..../* Style the tab content */...tabcontent {.. display: none;.. padding: 6px 12px;.. border: 1px solid #ccc;.. border-top: none;..}

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\qescm.css (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):677
                                                                                                                                                                                Entropy (8bit):4.695614879709572
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:UgOIOw2saGoBPjKzoGDvxl3N/ar/rJRnEmlaX6VFBTe6NIZ:7yjPylaMAk
                                                                                                                                                                                MD5:1F0FC0CD5EAF79E6418F468D9CC6678A
                                                                                                                                                                                SHA1:0FADFFC0A4871C634C8DBDCC07B76970B3865E40
                                                                                                                                                                                SHA-256:18FEB6098A29EB0CB98BEA31049D01FC616C430F7BB0A2203277B6C173ED1B3C
                                                                                                                                                                                SHA-512:0670DA5463F046889AB3A14BA97541E9A0E6183E3D25F1EDB0F7E9AAD5C2C382138A9115711FCF30B60D3DCCC7A90B50CCDF9367AB606DF77682A4A95A11292C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/* Style the tab */...tab {.. overflow: hidden;.. border: 1px solid #ccc;.. background-color: #f1f1f1;..}..../* Style the buttons that are used to open the tab content */...tab button {.. background-color: inherit;.. float: left;.. border: none;.. outline: none;.. cursor: pointer;.. padding: 14px 16px;.. transition: 0.3s;..}..../* Change background color of buttons on hover */...tab button:hover {.. background-color: #ddd;..}..../* Create an active/current tablink class */...tab button.active {.. background-color: #ccc;..}..../* Style the tab content */...tabcontent {.. display: none;.. padding: 6px 12px;.. border: 1px solid #ccc;.. border-top: none;..}

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\animated-overlay.gif (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:GIF image data, version 89a, 40 x 40
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1738
                                                                                                                                                                                Entropy (8bit):7.502920326603858
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:sGz2pFNTXqQcDpLTEejbYLIGAvYdq52UdgOjWTiTkb9NFw/y0tcsE:7ShTXqQK+ePYLIGQhgbykpvydtnE
                                                                                                                                                                                MD5:2B912F7C0653008CA28EBACDA49025E7
                                                                                                                                                                                SHA1:16FD304B0511EB4792545FF12A53C9C19F98FDF7
                                                                                                                                                                                SHA-256:C7BCC76FB23C0430B36EC448EB79F8BC34129DAE95DA10F3C14ED0EACDF2F1B9
                                                                                                                                                                                SHA-512:AB9701F82DADB01092AD78BDA4028E6E695F5CA2C7D2E27CB1D46E8E648BBD73E2A148C52927E9A4EB80ECCDB563FC3FD34CDF55B60ADE6153CBA29122859FB9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:GIF89a(.(..........!..NETSCAPE2.0.....!.......,....(.(.......z....KN...Y#......7.)z.......v[3....x..Pw..Ea..F.Of...V.Ye.||/..X\...Wr..o.$..m^..K0>.'.$u..f...6G....'Xg.5..5.....)9.):ZiYJ....y.Y..!.......,....(.(........}...Q6...a....._y.#.i.j.K.-|..K3^.....Pw..&KO..=7IfTz.LMYh.....cdX\1..ie..a.. ..}...wl.....5..Cg..GB.....)..'..hY9..IHy....YjZG.h'j85...P..!.......,....(.(........m...Q6.,.@o.-`.u$.>.I...z/...6.9~[....^O.......t6.Ac.:......v.N?cUX|.f.&6x......_~..G........(b.....8.X..%.x7IX..I9x......(I:.Y*.XYv..P..!.......,....(.(.....o....;.MZ..Y.|......([.....9.9......1`P.2...!.H.>oQ..W.^..d..s..c2...*Si.y.....x.[..s.^...VGW.wg...........x.Y.8I.I...yIZj.....)X.f).:.R..!.......,....(.(...........CqMZ..Ym.5W(..F~..'..-:.|......1p?..X...1d.F.SL.q...n..e^.A..<.V!......V..\..d=...v'....wh8...8hW......H..........I.y.F.Yi.Y:)y.z.*.IzT..!.......,....(.(...........;.MZ.E9m.m.'.exf..V+z.Mk.u.O.....i.3\..2...bQwt.. ...b..e.+M~.Hq.;....0..nC.[y....c

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-28VME.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 16-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):262
                                                                                                                                                                                Entropy (8bit):5.967325013380225
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh8EFtlNeEvLpLa8qtqDUblKzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7JptlUILUPtylzS+f3E52EML3Eflz
                                                                                                                                                                                MD5:557FC2338A04EEEF50F3C7D45DDE2F98
                                                                                                                                                                                SHA1:05EC73A146736833B10B068CC948A87DFDB29CBA
                                                                                                                                                                                SHA-256:2F840CC0DE69EC024C62422982CB1336FCC580BD1AA1AA20BF1F5C7DE9A08BBF
                                                                                                                                                                                SHA-512:E65F56FD50B3D735D9271A0D321388BE4713518E8C26057C7487C704191CE0BD6981D4F5F77E3FBCBE646C738F125D394047D9E0B79F26ECF4F6E30245AAC44C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR................D....bKGD....1.....pHYs...H...H.F.k>...HIDAT8.cx..a.."..[..n{1.qc...po"..?..3..}`xR...1.s?....^^bxu..u)..h.....W.%R..|...%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-2KNVM.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 40 x 100, 2-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):212
                                                                                                                                                                                Entropy (8bit):5.38272561855122
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPnHvll2VztlN4EYyzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7vHWVztlyENzS+f3E52EML3Eflz
                                                                                                                                                                                MD5:BE7FFA4D7FFD17E1D89F40F855FF4BDA
                                                                                                                                                                                SHA1:F0FE1D67D4987DE9CF39A4411A198B17E4555C55
                                                                                                                                                                                SHA-256:EF819A83D74E67F3354676FF3A3077F01B1BE9CFD17D26655EA32874C1B094E8
                                                                                                                                                                                SHA-512:ADDDB90BE4BA90C48A9A0E39D12ED0159F15D3DB69B36F511D740A7DFB2BFB2FB33C21BAA0D8D403B3C6F3153CCB719B771909013097B389BE82EA448AF5E30F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...(...d.......5.....bKGD..3.r.....pHYs...H...H.F.k>....IDAT8.cX.....Q.(s.I....I./ZW.....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-4602V.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6992
                                                                                                                                                                                Entropy (8bit):7.9272661175047565
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:LZYGBeZMj+hjoHCZi6hO7IEyv46uByg78SmVNN2AxGiaiBK+aOvAdCO6cIi29TvE:LRj+h1tkIz46uhhwNNlGiaiBKmA4Uw2Z
                                                                                                                                                                                MD5:6B29E362591A05E270B33C4FC3F67CB2
                                                                                                                                                                                SHA1:6CB0B3A5C3CB2EE9FBAEF3CB156C06BB4F15FC82
                                                                                                                                                                                SHA-256:A8D28E2D83A807B2B86ED2A02E31086F6C0718DFA96E0BA6A4577B657F69CC34
                                                                                                                                                                                SHA-512:B73EB60C9B76FD504D46E5844673D9624C1A62A1F0C099F3C79242AEF4856C40CE6B97E38DB713CCC5E131D6C02615E90127350610A0A4D49959E56C940C6813
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.............E.r@....bKGD.E.;.-....pHYs...H...H.F.k>...mIDATx..{leG}.?g.K..$.....U.!.>T....J..i6A".V..R%;.."...*UP).../......z..RJ..F....QP...z..BQ.H.VU.........5s..9..^.3...{~....7s.7...<.......`...... c...A.b/..@..[.V.D...0..3AX9..0.N...._..B.......&...>~..>..c.;ab..D..E......Q.z..'k...M.ay......6..!.:u.:..:@R....B.yDD....'.L..-.f.]S..q.!..f...S....Q.&..S..7MC..r==3d.J...{...f.Z...S0.Ms..:0K.g........&H.U.=.mc.4.i?U..G..U4.hc..Qb....].!..hL...W.../........@........px.h8.~.|.A...Qf?....1f......=u.....Q.GJH...p....P.I.w.m.....>2.....".W.P&{..n....T:s...f.q...H@.....c.I.......~.S.s+.^|B.n.29..d..H.......]..v.-.-m.e.h.>..........q&....g..9x.#c..n..~!.....px.h8..4.^.../.......o..#..Z@..S....^..4. K.ZKP..d.9...C@.F[.......,..a+......]8..v..K..q.H.l.w9...84.K.B...|..&...#..[.\C.....`..R..!.....:.F.z..C...6..)A....T1wU.I..!4..ig.3w.............E:..q7.......n..0uA...mP..y..T.K(5....lN.b.T....rw.DV.]..t..e4...7....L......[..C..0....P...&..0

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-4MDTC.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 16-bit/color RGB, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):335
                                                                                                                                                                                Entropy (8bit):6.506923664922411
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh1rZTp5mtlNg7cZPJdE0CDRGnmQflByQL4xzgN+u+3dfWVd6q2EML3dfWn:6v/7J1rZVQtl5gR8nBtx4xzS+f3E52ER
                                                                                                                                                                                MD5:83DB3DC94C956A82963FDF628F9D8759
                                                                                                                                                                                SHA1:CFF216A08143F03C8636DDF90A726726D7091682
                                                                                                                                                                                SHA-256:577C14708886C14A477778473401F82C713E81678BAFC84A7F6FE8E1BAD51148
                                                                                                                                                                                SHA-512:6AAD50376B828DB160396517EBB256FE36A8648EECD9929A133C4F1B439B1E8C75130D87FB3A611D206B9A43504AA1DC31C1D2F27C89F8FA37CE80FB65C44E27
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...............A.....bKGD.......X......pHYs...H...H.F.k>....IDATH...!..A.....b.l.....A.1{..V.Y0i..x...x..v......D.K_..O..9....a......}..^..Ja..0b.vBA.$.,.Q..."_44....=.Sqc..yE..I..W..<kA....i.0....<a$S..y....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-5A7U0.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 1-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):207
                                                                                                                                                                                Entropy (8bit):5.421473036166773
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh3DVztlNLyjl2XIzgN+u+3dfP6tgg2EML3dfP6uup:6v/7JBtlxXIzS+f3p6tgg2EML3p6j
                                                                                                                                                                                MD5:B790D06E1309EDF0A735331A2D2EB539
                                                                                                                                                                                SHA1:16ADC28CB33F544C1C88103421F091B62EFA2FD6
                                                                                                                                                                                SHA-256:DA621753D6DF757A81DD67C656B8B71E0A43067D3EBB3F46715A704C734CA35C
                                                                                                                                                                                SHA-512:AA15D5F1BF4D8680AF67AE377251AA876AB8541899ABFB89539D3632D948BF9BC5A93E5057CD8FFF240AB19AD5CE750B51D004F6344E960E501AD385C6480A49
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.............G#7v....bKGD.........pHYs...H...H.F.k>....IDAT(.ch`...p....h...4.i...%tEXtdate:create.2014-01-19T18:55:02-08:00.......%tEXtdate:modify.2014-01-19T18:55:02-08:00...p....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-AQDP7.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6922
                                                                                                                                                                                Entropy (8bit):7.940828041549464
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:EtbmwCm38cHXpuWxCxISffIuZ/vTwcZMCCn7/totek2HAqcRln2cM3+gpDR:AqdmzXpMbxMCK76tdqAZje+8N
                                                                                                                                                                                MD5:A1B3887A86CF1791F23C0B53B4D3585F
                                                                                                                                                                                SHA1:692A53CAD7F748BC7B691B98B9116CE3269CD22B
                                                                                                                                                                                SHA-256:3B1AC036763D3A59C88578486AE698D22A37DD2D46A553485E1EABB9FE255B3F
                                                                                                                                                                                SHA-512:A055B57AE02D64DD85EFED7EC939B8A50A35F85F18D1DE3245A9D634C9A613EE29CFF401BCBE222321A46AA77AB0EA705E917EC57A58B08002F55D2090B7AC71
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.............E.r@....bKGD."..b.....pHYs...H...H.F.k>...'IDATx..{he.}.?g.....{..1.)......]K&qq.U.4k.biK.R(H...B..P(I.vJ._....IV.@.nB.5i.N...i.G.jq.&.~A#Q.....rX'.....9.:..{.3.E{.=.y.o~3g~..Mp..&.....1Xx.h8<...#dl..Mx..1.&..$..5..~...V.....c.$.......,..........i...N:.Z....Y...>.."..B...H!...........-..C.u.8t..}....8.!.B...*.OF...[.a...l...B&......1h.>..M]hN...4MAb....!(..h.E.1.5j.cO.<6.e7..,e...S(..f..o.16+3.y.JR.|.{.^3.^.....{.88..........~'.....px.h8<.4.........g............2..n..6e.......{......Q.......p...P.A..i...f.S.....(..D..'.L.6=......T:s...f.q...l....c.I......=.i...M.>...LN{.U..&.......&...{u...o...........4.~#.....px.h8<.4.........g.......p...^i....../.0.....TW..c.......Q.... .@)..y...u}`L...Uc...%T..................A..R..@.?..P.-`....BKl..b.....Z}.............uJ....%U.].K2..e..ts.Y...@,e.e.....r..jc.s...M..n..0.A...mP..y..D.K(5.,...lN.&b.D.m..rwYDV....t..e$.......L......[..C..0O...P...&..0.....+..;...g...3@........px.h8<.4

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-C9G4C.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 16-bit/color RGB, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):332
                                                                                                                                                                                Entropy (8bit):6.459714673231968
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh1rZTp5mtlNYkx7GFaO29kJ/iNB9o7+2vEK9ZfES5lB2zgN+u+3dfWVd6c:6v/7J1rZVQtlOnwk1em+2vEKvEA2zS+c
                                                                                                                                                                                MD5:44606DD4F249740D494943643B1C8718
                                                                                                                                                                                SHA1:BEBC84E5BB020065A1D790101B9345AA21EC7633
                                                                                                                                                                                SHA-256:EF724E84645EF2DC9769BDDCB6FE832407372A4740C6AEF3E25AEA2AE6F51853
                                                                                                                                                                                SHA-512:7B73C187AA88FF5CE5671D620D9F8933A3B5ED04F95929970A7F785F50232AACE33E5135EA242A2C89339D750437B0B40D12928B7CD768A008D743FBAAF73590
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...............A.....bKGD.......X......pHYs...H...H.F.k>....IDATH.....a........\!V....J#X.....D}.....f.>....>...P..x...x......q....u...q...f.+..6....[..\.......W.T4r...6:.]V:...,.(....8..y.G-(d...H...%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-CCCG2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6999
                                                                                                                                                                                Entropy (8bit):7.9356094432043145
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:0H63l6XnD/aZzXcHhG8RL8h8xnJ4f8lKoQpID8Dj:33qbaZzXUnYh8lJ4fsgIS
                                                                                                                                                                                MD5:302AE7A7AED5730C16146B677B123638
                                                                                                                                                                                SHA1:D0144B794640E1126F782B5332C8539FE2D3AEF4
                                                                                                                                                                                SHA-256:E2D1B1C7C51F8C30431327FE43029D62B6D5DFD2D95BBD6B8B9929C178DBA4BF
                                                                                                                                                                                SHA-512:B65B0DCE5A2B0348F51E2D41E07A3A7B11F051E3A0517B5DD2EA2327C2E2DF0908CFA33597B34B2D1C89D6BFB91C9F432A564233DD9D763CEAC67A751B618378
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.............E.r@....bKGD..I.( ....pHYs...H...H.F.k>...tIDATx..{le.}.?g..k..u...J.>D.C.^.Q...M..H..*MU...h.(*$H...R.*j...D.].....)..(M6..F.6!6..-..xI...i.-.. HN.8..s.u....g......f....7..3........7..x..^.../.2&...v&v.^.DL..l6I..-..o?...cn...D Iy.e.#d.0+.0.3..~.......0.g'L.V...[...R.C:B..~(...)$q.vX.u.B@...E@`H.N.G.....`TA.%=].qA.w..J)..u).9.:e.9d.`V..0.A{..=..BS*.....S..gF.A....-(D...R.@..".....g'.U.,eS.w.......j...*.)l.[.....HLy....9......j.a.I6..MR.~...~..nG....3........@........px.h8..4.~=@>...(...mE...3a\.`~..=u.....Q.....[..f.3W..A...i..oK}3w..gV........,.j....n2..*....m..M..].y=..xn"..co....L"..7]...EC.:d..H.z.E@W...f+^.e.6v.E4..O...`.......)l..:..7.....){._.....~".....px.h8..4.^.../......./..#..\@..S..^.T.0s.Zs.1.J..1.Pr....h.w...V..E.g....S..T..Q5.[.\B...O.`+..>}....\...6.../0..k.g...1[..Kh.....l.X....._.Z.^IA......^.N..4v...OW=%i^.<...9.t.f .2.......B.Hg.6....!u..\.Z..&.....2....s....U.]..i.T..... ..]..Ua.q;].A...:.r.G-3.<.F..n

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-GQMK3.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 100, 16-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):280
                                                                                                                                                                                Entropy (8bit):6.115389891689244
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPeNkFtlNokzySWow3tumS4E8U0xzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7WNEtl+LZoat3S4e0xzS+f3E52EMa
                                                                                                                                                                                MD5:443BD890A55AD6B7E5FC5383F730A44C
                                                                                                                                                                                SHA1:D18316E7AFC637F466687831C460A8B767615776
                                                                                                                                                                                SHA-256:E8CFB6E4753C0E1ED877146B6F497A733EEDCDA8BE4264C91A191204DFD9FB94
                                                                                                                                                                                SHA-512:B0B792C2EC487A0007F8F27FEA0D8DE9EF149092461E8334A433EB8F3CD6BE86A46EA53FA40CA84D9A3B384803AAD144573B4CD88CBBE9A09E0A98D11630E9D5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.......d.....2.......bKGD....1.....pHYs...H...H.F.k>...ZIDAT..cx|..Nh.........2<hc._.p/..n,....[_.n.g...p=.......w2\je.X.pa...&.s....b8..p...".....Y{....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-JAAQS.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 16-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):262
                                                                                                                                                                                Entropy (8bit):5.951536690657124
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh8EFtlNeMI2WoVk08K6x2zgN+u+3dftGRxEML3dfttp:6v/7JptlUM4oVN8KhzS+f37GEML37D
                                                                                                                                                                                MD5:5AA0A5172050CF33EE52543E2A39F650
                                                                                                                                                                                SHA1:353190E4DDA3C63D693BCA9DEC6ABCD092796322
                                                                                                                                                                                SHA-256:A0FCE4E506385D26CD1DD95EB2CA995C9541DD43153159C8313F32A3A0374792
                                                                                                                                                                                SHA-512:D0D82FCAA75C6EC976B63B11169F266903EB6DDD15B44CEC1C2F5A9BD9654F446AE17D0EF7526C263EFE753E6B39F46906F595FBAEA8543976F7493DB757BE36
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR................D....bKGD....1.....pHYs...H...H.F.k>...HIDAT8.cx..0.F...g.....ax1..e&.8..!.ob..2..fx......#3......>...QD....@.$..5o...%tEXtdate:create.2014-01-19T18:55:12-08:00.M.R...%tEXtdate:modify.2014-01-19T18:55:12-08:00........IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-LF6UQ.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4549
                                                                                                                                                                                Entropy (8bit):7.7588806674823365
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:gezHbJHvBKzqOmbEiFaEn4L0347j+MZdJdaDgEz3iXPR:gebVPOjmYBL0o7j+AdJQgEza
                                                                                                                                                                                MD5:5C78585B80FBF4342D21674A04E89C8B
                                                                                                                                                                                SHA1:BA54B02521C09485695A9F409BA3E6FF7EDE90AD
                                                                                                                                                                                SHA-256:003822ED55AD9191E071798370E41363A617B138EAE18623AD9D864CA5F357CE
                                                                                                                                                                                SHA-512:77B280FAB498352647A1271A7B9E1D7A54EA3E30838A780BA2DB649ADDF7E8BBADACAF0A00BFA37BA7E7EB3084E90810451E8ECEC2647D3917507EFD17B90CDC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR..............IJ.....PLTE..............................................................................................................................................................................................................................................................................4.v....YtRNS...3..P.../"Uq@f`..2..!<.BHK .Z#'1S,.4...j...8E....|.........)...Q$.......b.J..m.Gc?o..h.@^.....bKGD....H....pHYs...H...H.F.k>...dIDATx..].c....H..].K....d..%....lm....w].....|.p..X..m.-....}<.w.(....1.$...;..F.@..%..?......B,..L.h{.t...#....T@./?.j...9..m..N. #...+`....`..I....._.-s..U0..M...[...s..4`x.....#....D<....~...K....4.]`..PDDDDDD.q......Ek@....A...~.*.....!Y...X...`.hv3\LX...Ot.J.2.b..l.QI<.... ...6..-X.l..6..H..|=j..`E.iq....Cv:..q............C?.?.....x.,..r*t..}|;.kP.4....d.Y....f....K..~[.>.X:+.i.......QV.9.\.....e...'...A.tO.S.:7..2.....YsxM....B....&....z.>n.C...@..r@...*.a.....%...MFDDDDDD.T.....H,...E....RU..n....<..V-.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-N2IM2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:GIF image data, version 89a, 40 x 40
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1738
                                                                                                                                                                                Entropy (8bit):7.502920326603858
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:sGz2pFNTXqQcDpLTEejbYLIGAvYdq52UdgOjWTiTkb9NFw/y0tcsE:7ShTXqQK+ePYLIGQhgbykpvydtnE
                                                                                                                                                                                MD5:2B912F7C0653008CA28EBACDA49025E7
                                                                                                                                                                                SHA1:16FD304B0511EB4792545FF12A53C9C19F98FDF7
                                                                                                                                                                                SHA-256:C7BCC76FB23C0430B36EC448EB79F8BC34129DAE95DA10F3C14ED0EACDF2F1B9
                                                                                                                                                                                SHA-512:AB9701F82DADB01092AD78BDA4028E6E695F5CA2C7D2E27CB1D46E8E648BBD73E2A148C52927E9A4EB80ECCDB563FC3FD34CDF55B60ADE6153CBA29122859FB9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:GIF89a(.(..........!..NETSCAPE2.0.....!.......,....(.(.......z....KN...Y#......7.)z.......v[3....x..Pw..Ea..F.Of...V.Ye.||/..X\...Wr..o.$..m^..K0>.'.$u..f...6G....'Xg.5..5.....)9.):ZiYJ....y.Y..!.......,....(.(........}...Q6...a....._y.#.i.j.K.-|..K3^.....Pw..&KO..=7IfTz.LMYh.....cdX\1..ie..a.. ..}...wl.....5..Cg..GB.....)..'..hY9..IHy....YjZG.h'j85...P..!.......,....(.(........m...Q6.,.@o.-`.u$.>.I...z/...6.9~[....^O.......t6.Ac.:......v.N?cUX|.f.&6x......_~..G........(b.....8.X..%.x7IX..I9x......(I:.Y*.XYv..P..!.......,....(.(.....o....;.MZ..Y.|......([.....9.9......1`P.2...!.H.>oQ..W.^..d..s..c2...*Si.y.....x.[..s.^...VGW.wg...........x.Y.8I.I...yIZj.....)X.f).:.R..!.......,....(.(...........CqMZ..Ym.5W(..F~..'..-:.|......1p?..X...1d.F.SL.q...n..e^.A..<.V!......V..\..d=...v'....wh8...8hW......H..........I.y.F.Yi.Y:)y.z.*.IzT..!.......,....(.(...........;.MZ.E9m.m.'.exf..V+z.Mk.u.O.....i.3\..2...bQwt.. ...b..e.+M~.Hq.;....0..nC.[y....c

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-U3R3T.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4549
                                                                                                                                                                                Entropy (8bit):7.787336530544679
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:eezHbJHvBKzqOmbEiFaEn4L0347j+MZdJdaDgEz3iXPR:eebVPOjmYBL0o7j+AdJQgEza
                                                                                                                                                                                MD5:764C37EFBF6D7FFC176B466FADC6F2CA
                                                                                                                                                                                SHA1:A57A7F1775369985C3335C351575DF127C6CFEA2
                                                                                                                                                                                SHA-256:3D3E274632C78C97B550BB7D2291462E2584F523A15CDC1B9535E7BFABD0CE30
                                                                                                                                                                                SHA-512:206A63D9A0B0A4DB870FD927C8E6AB4E2C890A9F3ADACB6B43B6B735D45FE62D92A2B91003C176D7D6DDFA076BB6E6DDDB3A8520F1030BE64877214288CD0F62
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR..............IJ.....PLTE.................................................................................................................................................................................................................................................................................o...YtRNS...3..P.../"Uq@f`..2..!<.BHK .Z#'1S,.4...j...8E....|.........)...Q$.......b.J..m.Gc?o..h.@^.....bKGD....H....pHYs...H...H.F.k>...dIDATx..].c....H..].K....d..%....lm....w].....|.p..X..m.-....}<.w.(....1.$...;..F.@..%..?......B,..L.h{.t...#....T@./?.j...9..m..N. #...+`....`..I....._.-s..U0..M...[...s..4`x.....#....D<....~...K....4.]`..PDDDDDD.q......Ek@....A...~.*.....!Y...X...`.hv3\LX...Ot.J.2.b..l.QI<.... ...6..-X.l..6..H..|=j..`E.iq....Cv:..q............C?.?.....x.,..r*t..}|;.kP.4....d.Y....f....K..~[.>.X:+.i.......QV.9.\.....e...'...A.tO.S.:7..2.....YsxM....B....&....z.>n.C...@..r@...*.a.....%...MFDDDDDD.T.....H,...E....RU..n....<..V-.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-UGGU3.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 40 x 100, 1-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):208
                                                                                                                                                                                Entropy (8bit):5.441070699788578
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPYOljVztlNQkn7DvF2zgN+u+3dftGRxEML3dfttp:6v/7PxtlGqDvkzS+f37GEML37D
                                                                                                                                                                                MD5:79D203EB970FDEE9B5FEE9DD3DCBC573
                                                                                                                                                                                SHA1:E931594A1BE4241B4923C328C6E5061B9F0D0A4B
                                                                                                                                                                                SHA-256:3C6BCFE102425A0E8CAA4A268C148F9D10E9C65B5277FC026299356EBD17C1DE
                                                                                                                                                                                SHA-512:B40428CCB942FD8C5592EDC0343D3E5C2EA9EF4160F4580E23039DAA8AF5C34F507E58A36993BC7F77712441A687DFC7C203723D0BBF0E411D80DCF00F6C15F2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...(...d.......O.....bKGD.........pHYs...H...H.F.k>....IDAT(.c......(IU........{...%tEXtdate:create.2014-01-19T18:55:12-08:00.M.R...%tEXtdate:modify.2014-01-19T18:55:12-08:00........IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_flat_0_aaaaaa_40x100.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 40 x 100, 2-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):212
                                                                                                                                                                                Entropy (8bit):5.38272561855122
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPnHvll2VztlN4EYyzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7vHWVztlyENzS+f3E52EML3Eflz
                                                                                                                                                                                MD5:BE7FFA4D7FFD17E1D89F40F855FF4BDA
                                                                                                                                                                                SHA1:F0FE1D67D4987DE9CF39A4411A198B17E4555C55
                                                                                                                                                                                SHA-256:EF819A83D74E67F3354676FF3A3077F01B1BE9CFD17D26655EA32874C1B094E8
                                                                                                                                                                                SHA-512:ADDDB90BE4BA90C48A9A0E39D12ED0159F15D3DB69B36F511D740A7DFB2BFB2FB33C21BAA0D8D403B3C6F3153CCB719B771909013097B389BE82EA448AF5E30F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...(...d.......5.....bKGD..3.r.....pHYs...H...H.F.k>....IDAT8.cX.....Q.(s.I....I./ZW.....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_flat_75_ffffff_40x100.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 40 x 100, 1-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):208
                                                                                                                                                                                Entropy (8bit):5.441070699788578
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPYOljVztlNQkn7DvF2zgN+u+3dftGRxEML3dfttp:6v/7PxtlGqDvkzS+f37GEML37D
                                                                                                                                                                                MD5:79D203EB970FDEE9B5FEE9DD3DCBC573
                                                                                                                                                                                SHA1:E931594A1BE4241B4923C328C6E5061B9F0D0A4B
                                                                                                                                                                                SHA-256:3C6BCFE102425A0E8CAA4A268C148F9D10E9C65B5277FC026299356EBD17C1DE
                                                                                                                                                                                SHA-512:B40428CCB942FD8C5592EDC0343D3E5C2EA9EF4160F4580E23039DAA8AF5C34F507E58A36993BC7F77712441A687DFC7C203723D0BBF0E411D80DCF00F6C15F2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...(...d.......O.....bKGD.........pHYs...H...H.F.k>....IDAT(.c......(IU........{...%tEXtdate:create.2014-01-19T18:55:12-08:00.M.R...%tEXtdate:modify.2014-01-19T18:55:12-08:00........IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_55_fbf9ee_1x400.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 16-bit/color RGB, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):335
                                                                                                                                                                                Entropy (8bit):6.506923664922411
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh1rZTp5mtlNg7cZPJdE0CDRGnmQflByQL4xzgN+u+3dfWVd6q2EML3dfWn:6v/7J1rZVQtl5gR8nBtx4xzS+f3E52ER
                                                                                                                                                                                MD5:83DB3DC94C956A82963FDF628F9D8759
                                                                                                                                                                                SHA1:CFF216A08143F03C8636DDF90A726726D7091682
                                                                                                                                                                                SHA-256:577C14708886C14A477778473401F82C713E81678BAFC84A7F6FE8E1BAD51148
                                                                                                                                                                                SHA-512:6AAD50376B828DB160396517EBB256FE36A8648EECD9929A133C4F1B439B1E8C75130D87FB3A611D206B9A43504AA1DC31C1D2F27C89F8FA37CE80FB65C44E27
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...............A.....bKGD.......X......pHYs...H...H.F.k>....IDATH...!..A.....b.l.....A.1{..V.Y0i..x...x..v......D.K_..O..9....a......}..^..Ja..0b.vBA.$.,.Q..."_44....=.Sqc..yE..I..W..<kA....i.0....<a$S..y....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_65_ffffff_1x400.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 1-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):207
                                                                                                                                                                                Entropy (8bit):5.421473036166773
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh3DVztlNLyjl2XIzgN+u+3dfP6tgg2EML3dfP6uup:6v/7JBtlxXIzS+f3p6tgg2EML3p6j
                                                                                                                                                                                MD5:B790D06E1309EDF0A735331A2D2EB539
                                                                                                                                                                                SHA1:16ADC28CB33F544C1C88103421F091B62EFA2FD6
                                                                                                                                                                                SHA-256:DA621753D6DF757A81DD67C656B8B71E0A43067D3EBB3F46715A704C734CA35C
                                                                                                                                                                                SHA-512:AA15D5F1BF4D8680AF67AE377251AA876AB8541899ABFB89539D3632D948BF9BC5A93E5057CD8FFF240AB19AD5CE750B51D004F6344E960E501AD385C6480A49
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.............G#7v....bKGD.........pHYs...H...H.F.k>....IDAT(.ch`...p....h...4.i...%tEXtdate:create.2014-01-19T18:55:02-08:00.......%tEXtdate:modify.2014-01-19T18:55:02-08:00...p....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_75_dadada_1x400.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 16-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):262
                                                                                                                                                                                Entropy (8bit):5.967325013380225
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh8EFtlNeEvLpLa8qtqDUblKzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7JptlUILUPtylzS+f3E52EML3Eflz
                                                                                                                                                                                MD5:557FC2338A04EEEF50F3C7D45DDE2F98
                                                                                                                                                                                SHA1:05EC73A146736833B10B068CC948A87DFDB29CBA
                                                                                                                                                                                SHA-256:2F840CC0DE69EC024C62422982CB1336FCC580BD1AA1AA20BF1F5C7DE9A08BBF
                                                                                                                                                                                SHA-512:E65F56FD50B3D735D9271A0D321388BE4713518E8C26057C7487C704191CE0BD6981D4F5F77E3FBCBE646C738F125D394047D9E0B79F26ECF4F6E30245AAC44C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR................D....bKGD....1.....pHYs...H...H.F.k>...HIDAT8.cx..a.."..[..n{1.qc...po"..?..3..}`xR...1.s?....^^bxu..u)..h.....W.%R..|...%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_75_e6e6e6_1x400.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 16-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):262
                                                                                                                                                                                Entropy (8bit):5.951536690657124
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh8EFtlNeMI2WoVk08K6x2zgN+u+3dftGRxEML3dfttp:6v/7JptlUM4oVN8KhzS+f37GEML37D
                                                                                                                                                                                MD5:5AA0A5172050CF33EE52543E2A39F650
                                                                                                                                                                                SHA1:353190E4DDA3C63D693BCA9DEC6ABCD092796322
                                                                                                                                                                                SHA-256:A0FCE4E506385D26CD1DD95EB2CA995C9541DD43153159C8313F32A3A0374792
                                                                                                                                                                                SHA-512:D0D82FCAA75C6EC976B63B11169F266903EB6DDD15B44CEC1C2F5A9BD9654F446AE17D0EF7526C263EFE753E6B39F46906F595FBAEA8543976F7493DB757BE36
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR................D....bKGD....1.....pHYs...H...H.F.k>...HIDAT8.cx..0.F...g.....ax1..e&.8..!.ob..2..fx......#3......>...QD....@.$..5o...%tEXtdate:create.2014-01-19T18:55:12-08:00.M.R...%tEXtdate:modify.2014-01-19T18:55:12-08:00........IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_95_fef1ec_1x400.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 400, 16-bit/color RGB, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):332
                                                                                                                                                                                Entropy (8bit):6.459714673231968
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPh1rZTp5mtlNYkx7GFaO29kJ/iNB9o7+2vEK9ZfES5lB2zgN+u+3dfWVd6c:6v/7J1rZVQtlOnwk1em+2vEKvEA2zS+c
                                                                                                                                                                                MD5:44606DD4F249740D494943643B1C8718
                                                                                                                                                                                SHA1:BEBC84E5BB020065A1D790101B9345AA21EC7633
                                                                                                                                                                                SHA-256:EF724E84645EF2DC9769BDDCB6FE832407372A4740C6AEF3E25AEA2AE6F51853
                                                                                                                                                                                SHA-512:7B73C187AA88FF5CE5671D620D9F8933A3B5ED04F95929970A7F785F50232AACE33E5135EA242A2C89339D750437B0B40D12928B7CD768A008D743FBAAF73590
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...............A.....bKGD.......X......pHYs...H...H.F.k>....IDATH.....a........\!V....J#X.....D}.....f.>....>...P..x...x......q....u...q...f.+..6....[..\.......W.T4r...6:.]V:...,.(....8..y.G-(d...H...%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_highlight-soft_75_cccccc_1x100.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1 x 100, 16-bit grayscale, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):280
                                                                                                                                                                                Entropy (8bit):6.115389891689244
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:6v/lhPeNkFtlNokzySWow3tumS4E8U0xzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7WNEtl+LZoat3S4e0xzS+f3E52EMa
                                                                                                                                                                                MD5:443BD890A55AD6B7E5FC5383F730A44C
                                                                                                                                                                                SHA1:D18316E7AFC637F466687831C460A8B767615776
                                                                                                                                                                                SHA-256:E8CFB6E4753C0E1ED877146B6F497A733EEDCDA8BE4264C91A191204DFD9FB94
                                                                                                                                                                                SHA-512:B0B792C2EC487A0007F8F27FEA0D8DE9EF149092461E8334A433EB8F3CD6BE86A46EA53FA40CA84D9A3B384803AAD144573B4CD88CBBE9A09E0A98D11630E9D5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.......d.....2.......bKGD....1.....pHYs...H...H.F.k>...ZIDAT..cx|..Nh.........2<hc._.p/..n,....[_.n.g...p=.......w2\je.X.pa...&.s....b8..p...".....Y{....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_222222_256x240.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6922
                                                                                                                                                                                Entropy (8bit):7.940828041549464
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:EtbmwCm38cHXpuWxCxISffIuZ/vTwcZMCCn7/totek2HAqcRln2cM3+gpDR:AqdmzXpMbxMCK76tdqAZje+8N
                                                                                                                                                                                MD5:A1B3887A86CF1791F23C0B53B4D3585F
                                                                                                                                                                                SHA1:692A53CAD7F748BC7B691B98B9116CE3269CD22B
                                                                                                                                                                                SHA-256:3B1AC036763D3A59C88578486AE698D22A37DD2D46A553485E1EABB9FE255B3F
                                                                                                                                                                                SHA-512:A055B57AE02D64DD85EFED7EC939B8A50A35F85F18D1DE3245A9D634C9A613EE29CFF401BCBE222321A46AA77AB0EA705E917EC57A58B08002F55D2090B7AC71
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.............E.r@....bKGD."..b.....pHYs...H...H.F.k>...'IDATx..{he.}.?g.....{..1.)......]K&qq.U.4k.biK.R(H...B..P(I.vJ._....IV.@.nB.5i.N...i.G.jq.&.~A#Q.....rX'.....9.:..{.3.E{.=.y.o~3g~..Mp..&.....1Xx.h8<...#dl..Mx..1.&..$..5..~...V.....c.$.......,..........i...N:.Z....Y...>.."..B...H!...........-..C.u.8t..}....8.!.B...*.OF...[.a...l...B&......1h.>..M]hN...4MAb....!(..h.E.1.5j.cO.<6.e7..,e...S(..f..o.16+3.y.JR.|.{.^3.^.....{.88..........~'.....px.h8<.4.........g............2..n..6e.......{......Q.......p...P.A..i...f.S.....(..D..'.L.6=......T:s...f.q...l....c.I......=.i...M.>...LN{.U..&.......&...{u...o...........4.~#.....px.h8<.4.........g.......p...^i....../.0.....TW..c.......Q.... .@)..y...u}`L...Uc...%T..................A..R..@.?..P.-`....BKl..b.....Z}.............uJ....%U.].K2..e..ts.Y...@,e.e.....r..jc.s...M..n..0.A...mP..y..D.K(5.,...lN.&b.D.m..rwYDV....t..e$.......L......[..C..0O...P...&..0.....+..;...g...3@........px.h8<.4

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_2e83ff_256x240.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4549
                                                                                                                                                                                Entropy (8bit):7.787336530544679
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:eezHbJHvBKzqOmbEiFaEn4L0347j+MZdJdaDgEz3iXPR:eebVPOjmYBL0o7j+AdJQgEza
                                                                                                                                                                                MD5:764C37EFBF6D7FFC176B466FADC6F2CA
                                                                                                                                                                                SHA1:A57A7F1775369985C3335C351575DF127C6CFEA2
                                                                                                                                                                                SHA-256:3D3E274632C78C97B550BB7D2291462E2584F523A15CDC1B9535E7BFABD0CE30
                                                                                                                                                                                SHA-512:206A63D9A0B0A4DB870FD927C8E6AB4E2C890A9F3ADACB6B43B6B735D45FE62D92A2B91003C176D7D6DDFA076BB6E6DDDB3A8520F1030BE64877214288CD0F62
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR..............IJ.....PLTE.................................................................................................................................................................................................................................................................................o...YtRNS...3..P.../"Uq@f`..2..!<.BHK .Z#'1S,.4...j...8E....|.........)...Q$.......b.J..m.Gc?o..h.@^.....bKGD....H....pHYs...H...H.F.k>...dIDATx..].c....H..].K....d..%....lm....w].....|.p..X..m.-....}<.w.(....1.$...;..F.@..%..?......B,..L.h{.t...#....T@./?.j...9..m..N. #...+`....`..I....._.-s..U0..M...[...s..4`x.....#....D<....~...K....4.]`..PDDDDDD.q......Ek@....A...~.*.....!Y...X...`.hv3\LX...Ot.J.2.b..l.QI<.... ...6..-X.l..6..H..|=j..`E.iq....Cv:..q............C?.?.....x.,..r*t..}|;.kP.4....d.Y....f....K..~[.>.X:+.i.......QV.9.\.....e...'...A.tO.S.:7..2.....YsxM....B....&....z.>n.C...@..r@...*.a.....%...MFDDDDDD.T.....H,...E....RU..n....<..V-.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_454545_256x240.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6992
                                                                                                                                                                                Entropy (8bit):7.9272661175047565
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:LZYGBeZMj+hjoHCZi6hO7IEyv46uByg78SmVNN2AxGiaiBK+aOvAdCO6cIi29TvE:LRj+h1tkIz46uhhwNNlGiaiBKmA4Uw2Z
                                                                                                                                                                                MD5:6B29E362591A05E270B33C4FC3F67CB2
                                                                                                                                                                                SHA1:6CB0B3A5C3CB2EE9FBAEF3CB156C06BB4F15FC82
                                                                                                                                                                                SHA-256:A8D28E2D83A807B2B86ED2A02E31086F6C0718DFA96E0BA6A4577B657F69CC34
                                                                                                                                                                                SHA-512:B73EB60C9B76FD504D46E5844673D9624C1A62A1F0C099F3C79242AEF4856C40CE6B97E38DB713CCC5E131D6C02615E90127350610A0A4D49959E56C940C6813
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.............E.r@....bKGD.E.;.-....pHYs...H...H.F.k>...mIDATx..{leG}.?g.K..$.....U.!.>T....J..i6A".V..R%;.."...*UP).../......z..RJ..F....QP...z..BQ.H.VU.........5s..9..^.3...{~....7s.7...<.......`...... c...A.b/..@..[.V.D...0..3AX9..0.N...._..B.......&...>~..>..c.;ab..D..E......Q.z..'k...M.ay......6..!.:u.:..:@R....B.yDD....'.L..-.f.]S..q.!..f...S....Q.&..S..7MC..r==3d.J...{...f.Z...S0.Ms..:0K.g........&H.U.=.mc.4.i?U..G..U4.hc..Qb....].!..hL...W.../........@........px.h8.~.|.A...Qf?....1f......=u.....Q.GJH...p....P.I.w.m.....>2.....".W.P&{..n....T:s...f.q...H@.....c.I.......~.S.s+.^|B.n.29..d..H.......]..v.-.-m.e.h.>..........q&....g..9x.#c..n..~!.....px.h8..4.^.../.......o..#..Z@..S....^..4. K.ZKP..d.9...C@.F[.......,..a+......]8..v..K..q.H.l.w9...84.K.B...|..&...#..[.\C.....`..R..!.....:.F.z..C...6..)A....T1wU.I..!4..ig.3w.............E:..q7.......n..0uA...mP..y..T.K(5....lN.b.T....rw.DV.]..t..e4...7....L......[..C..0....P...&..0

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_888888_256x240.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6999
                                                                                                                                                                                Entropy (8bit):7.9356094432043145
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:0H63l6XnD/aZzXcHhG8RL8h8xnJ4f8lKoQpID8Dj:33qbaZzXUnYh8lJ4fsgIS
                                                                                                                                                                                MD5:302AE7A7AED5730C16146B677B123638
                                                                                                                                                                                SHA1:D0144B794640E1126F782B5332C8539FE2D3AEF4
                                                                                                                                                                                SHA-256:E2D1B1C7C51F8C30431327FE43029D62B6D5DFD2D95BBD6B8B9929C178DBA4BF
                                                                                                                                                                                SHA-512:B65B0DCE5A2B0348F51E2D41E07A3A7B11F051E3A0517B5DD2EA2327C2E2DF0908CFA33597B34B2D1C89D6BFB91C9F432A564233DD9D763CEAC67A751B618378
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR.............E.r@....bKGD..I.( ....pHYs...H...H.F.k>...tIDATx..{le.}.?g..k..u...J.>D.C.^.Q...M..H..*MU...h.(*$H...R.*j...D.].....)..(M6..F.6!6..-..xI...i.-.. HN.8..s.u....g......f....7..3........7..x..^.../.2&...v&v.^.DL..l6I..-..o?...cn...D Iy.e.#d.0+.0.3..~.......0.g'L.V...[...R.C:B..~(...)$q.vX.u.B@...E@`H.N.G.....`TA.%=].qA.w..J)..u).9.:e.9d.`V..0.A{..=..BS*.....S..gF.A....-(D...R.@..".....g'.U.,eS.w.......j...*.)l.[.....HLy....9......j.a.I6..MR.~...~..nG....3........@........px.h8..4.~=@>...(...mE...3a\.`~..=u.....Q.....[..f.3W..A...i..oK}3w..gV........,.j....n2..*....m..M..].y=..xn"..co....L"..7]...EC.:d..H.z.E@W...f+^.e.6v.E4..O...`.......)l..:..7.....){._.....~".....px.h8..4.^.../......./..#..\@..S..^.T.0s.Zs.1.J..1.Pr....h.w...V..E.g....S..T..Q5.[.\B...O.`+..>}....\...6.../0..k.g...1[..Kh.....l.X....._.Z.^IA......^.N..4v...OW=%i^.<...9.t.f .2.......B.Hg.6....!u..\.Z..&.....2....s....U.]..i.T..... ..]..Ua.q;].A...:.r.G-3.<.F..n

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_cd0a0a_256x240.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4549
                                                                                                                                                                                Entropy (8bit):7.7588806674823365
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:gezHbJHvBKzqOmbEiFaEn4L0347j+MZdJdaDgEz3iXPR:gebVPOjmYBL0o7j+AdJQgEza
                                                                                                                                                                                MD5:5C78585B80FBF4342D21674A04E89C8B
                                                                                                                                                                                SHA1:BA54B02521C09485695A9F409BA3E6FF7EDE90AD
                                                                                                                                                                                SHA-256:003822ED55AD9191E071798370E41363A617B138EAE18623AD9D864CA5F357CE
                                                                                                                                                                                SHA-512:77B280FAB498352647A1271A7B9E1D7A54EA3E30838A780BA2DB649ADDF7E8BBADACAF0A00BFA37BA7E7EB3084E90810451E8ECEC2647D3917507EFD17B90CDC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR..............IJ.....PLTE..............................................................................................................................................................................................................................................................................4.v....YtRNS...3..P.../"Uq@f`..2..!<.BHK .Z#'1S,.4...j...8E....|.........)...Q$.......b.J..m.Gc?o..h.@^.....bKGD....H....pHYs...H...H.F.k>...dIDATx..].c....H..].K....d..%....lm....w].....|.p..X..m.-....}<.w.(....1.$...;..F.@..%..?......B,..L.h{.t...#....T@./?.j...9..m..N. #...+`....`..I....._.-s..U0..M...[...s..4`x.....#....D<....~...K....4.]`..PDDDDDD.q......Ek@....A...~.*.....!Y...X...`.hv3\LX...Ot.J.2.b..l.QI<.... ...6..-X.l..6..H..|=j..`E.iq....Cv:..q............C?.?.....x.,..r*t..}|;.kP.4....d.Y....f....K..~[.>.X:+.i.......QV.9.\.....e...'...A.tO.S.:7..2.....YsxM....B....&....z.>n.C...@..r@...*.a.....%...MFDDDDDD.T.....H,...E....RU..n....<..V-.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\is-Q6KL2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (1339)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):32021
                                                                                                                                                                                Entropy (8bit):5.078949048223651
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:L1Xt0YpyiuMfQY+wA1r0sNJdBYUPSMfe3zYTda5Y6BjSmMErEURHwn58OV4v9i6V:IYpyiuy1TO+z+eI5HVfzS25Sfp
                                                                                                                                                                                MD5:ECB5EA6E7495242AD82F926B62DBDCB3
                                                                                                                                                                                SHA1:F465442DD28791C27D7AAEADB15A8AC04496F157
                                                                                                                                                                                SHA-256:0010F5E0DA2C54B659E5A3B375DE604E442164E6C72A5D82E8599935A57233C5
                                                                                                                                                                                SHA-512:92849ACF439C398290607B50DDCC6F4E5221C97463F45F3E414640B11357AB68F6AD5803A9782E041459CD2E094D7E1585EC07F0441698F1CB3BC0E6CFCFB6EF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*! jQuery UI - v1.10.4 - 2014-01-21.* http://jqueryui.com.* Includes: jquery.ui.core.css, jquery.ui.resizable.css, jquery.ui.selectable.css, jquery.ui.accordion.css, jquery.ui.autocomplete.css, jquery.ui.button.css, jquery.ui.datepicker.css, jquery.ui.dialog.css, jquery.ui.menu.css, jquery.ui.progressbar.css, jquery.ui.slider.css, jquery.ui.spinner.css, jquery.ui.tabs.css, jquery.ui.tooltip.css, jquery.ui.theme.css.* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=highlight_soft&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=flat&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=glass&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\is-T7896.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (25266)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):27102
                                                                                                                                                                                Entropy (8bit):4.997758237821455
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:L1Xt0YpyiW4wuxrjM1bXrJLzB3NCNPHyV6C2MZuQEjQDMsrsUR9IU+4mvCyB8gBZ:IYpyixDGFLzBEVk+4mvFL/72fZBhV5OR
                                                                                                                                                                                MD5:8670AFABE3FDF47BC56FBA5DF45024D2
                                                                                                                                                                                SHA1:C7AF8621CB5FBC970DFE5666C668232E7A593387
                                                                                                                                                                                SHA-256:1D8755B3DAB9E189A8F4326A3328E7F4FA7F51849B0F50C29A3368CEA9C5704F
                                                                                                                                                                                SHA-512:08F39518D5194A2A653A7049D2FEEBF5497CB93EA1A479BBB7307B484726C9FEFC5CC07B69440D0051DAE0A329D14BEFEC31D9AEE6656F344037C85822037D0E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*! jQuery UI - v1.10.4 - 2014-01-21.* http://jqueryui.com.* Includes: jquery.ui.core.css, jquery.ui.resizable.css, jquery.ui.selectable.css, jquery.ui.accordion.css, jquery.ui.autocomplete.css, jquery.ui.button.css, jquery.ui.datepicker.css, jquery.ui.dialog.css, jquery.ui.menu.css, jquery.ui.progressbar.css, jquery.ui.slider.css, jquery.ui.spinner.css, jquery.ui.tabs.css, jquery.ui.tooltip.css, jquery.ui.theme.css.* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=highlight_soft&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=flat&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=glass&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\jquery-ui-1.10.4.custom.css (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (1339)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):32021
                                                                                                                                                                                Entropy (8bit):5.078949048223651
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:L1Xt0YpyiuMfQY+wA1r0sNJdBYUPSMfe3zYTda5Y6BjSmMErEURHwn58OV4v9i6V:IYpyiuy1TO+z+eI5HVfzS25Sfp
                                                                                                                                                                                MD5:ECB5EA6E7495242AD82F926B62DBDCB3
                                                                                                                                                                                SHA1:F465442DD28791C27D7AAEADB15A8AC04496F157
                                                                                                                                                                                SHA-256:0010F5E0DA2C54B659E5A3B375DE604E442164E6C72A5D82E8599935A57233C5
                                                                                                                                                                                SHA-512:92849ACF439C398290607B50DDCC6F4E5221C97463F45F3E414640B11357AB68F6AD5803A9782E041459CD2E094D7E1585EC07F0441698F1CB3BC0E6CFCFB6EF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*! jQuery UI - v1.10.4 - 2014-01-21.* http://jqueryui.com.* Includes: jquery.ui.core.css, jquery.ui.resizable.css, jquery.ui.selectable.css, jquery.ui.accordion.css, jquery.ui.autocomplete.css, jquery.ui.button.css, jquery.ui.datepicker.css, jquery.ui.dialog.css, jquery.ui.menu.css, jquery.ui.progressbar.css, jquery.ui.slider.css, jquery.ui.spinner.css, jquery.ui.tabs.css, jquery.ui.tooltip.css, jquery.ui.theme.css.* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=highlight_soft&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=flat&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=glass&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\jquery-ui-1.10.4.custom.min.css (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (25266)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):27102
                                                                                                                                                                                Entropy (8bit):4.997758237821455
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:L1Xt0YpyiW4wuxrjM1bXrJLzB3NCNPHyV6C2MZuQEjQDMsrsUR9IU+4mvCyB8gBZ:IYpyixDGFLzBEVk+4mvFL/72fZBhV5OR
                                                                                                                                                                                MD5:8670AFABE3FDF47BC56FBA5DF45024D2
                                                                                                                                                                                SHA1:C7AF8621CB5FBC970DFE5666C668232E7A593387
                                                                                                                                                                                SHA-256:1D8755B3DAB9E189A8F4326A3328E7F4FA7F51849B0F50C29A3368CEA9C5704F
                                                                                                                                                                                SHA-512:08F39518D5194A2A653A7049D2FEEBF5497CB93EA1A479BBB7307B484726C9FEFC5CC07B69440D0051DAE0A329D14BEFEC31D9AEE6656F344037C85822037D0E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*! jQuery UI - v1.10.4 - 2014-01-21.* http://jqueryui.com.* Includes: jquery.ui.core.css, jquery.ui.resizable.css, jquery.ui.selectable.css, jquery.ui.accordion.css, jquery.ui.autocomplete.css, jquery.ui.button.css, jquery.ui.datepicker.css, jquery.ui.dialog.css, jquery.ui.menu.css, jquery.ui.progressbar.css, jquery.ui.slider.css, jquery.ui.spinner.css, jquery.ui.tabs.css, jquery.ui.tooltip.css, jquery.ui.theme.css.* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=highlight_soft&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=flat&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=glass&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\favicon.ico (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2999
                                                                                                                                                                                Entropy (8bit):3.9357714030301936
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:QEipEr2in2hH6WOtfcHi18SG7EG+WZ4WN83+/pDv6j6dtimCiw4bPL1yrKDbSBv6:HK1FROta08t7E/gbN1pv6u04bPL1ye
                                                                                                                                                                                MD5:7DAA7CFF4BDB6A6B4C33AECA089DEBFF
                                                                                                                                                                                SHA1:04118F802E9DAAA1EFF20B00E333AA011340856C
                                                                                                                                                                                SHA-256:68ED09555E1B0D56AA83887C3F8B086359C337897149BC9C2854373FDCDA75A3
                                                                                                                                                                                SHA-512:DC39F36273A4B104708628F6ED3D965BBF778E64671339D200A09B7E80739B8D9FFF88B9C16040BEAAF466EC49A1C64BE36C13B05E8987F0DD4B1FA0CCD9A298
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:...... ..........&... ..............(... ...@...................................................................................................................p...............x................................8..............t@................@..............L.@................C..................p..........L...............L...D...........t....D8..........L....D..........DDDDDD......................................................333330.........x;.....H.........x;....8..........s;...............s....................8p..............4..............................3..p.............;8...............3w..............x..............................................................?....................................................................................?...........?....(... ...@..............................................................................................""".))).UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\ElectronicLogo.GIF (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:GIF image data, version 89a, 76 x 103
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1270
                                                                                                                                                                                Entropy (8bit):5.422042590406756
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:2kEGY7peHU2k7N7DRhoZNtwNKzbEqNpmRRmJyMnM4RRwd5YErFcZ4E:PHU2k7N7YtG8EqNwbmIMnsd5hcZD
                                                                                                                                                                                MD5:ED63705020F5409BD91BE4B848250F7E
                                                                                                                                                                                SHA1:C2604114F4B24BE1F24DC8640818E8A5C076B0F6
                                                                                                                                                                                SHA-256:6CAA261B46150667B4B9F21E3C58F9594460C2582DEB5D5F7605567EC8ABEB07
                                                                                                                                                                                SHA-512:CAE29BDCE94E7CD5281418726887818AEF0CD8B59966706E2AA5FB6E639B95B2B21F179CDA6892F6C7B5A6A75F3D8EBEF6262E7829FE8407CE1183E6D4AB003F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:GIF89aL.g.................................................................................................................................3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f..............3..f.............3..f.........3..3.33.f3..3..3..33.33333f33.33.33.3f.3f33ff3f.3f.3f.3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f3.f33f3ff3.f3.f3.ff.ff3fffff.ff.ff.f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........3..33.3f.3..3.3..f..f3.ff.f..f.f......3..f.............3..f............3..f.............3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f....3.f...........3..f.............3..f..............3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f..............3..f.............3..f.........!.......,....L.g........H......*\....#J.H....3j.... C..I...(S.\...0c.I...8s.D....>......A....T...@...B=J5i.C....s..Y."...)Y........Z!......J....v,_.\....20C.I.b......6.{.qZ.....r.c.#=o.(.bi..O.=.uk.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\footerLogo.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1703 x 789, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36484
                                                                                                                                                                                Entropy (8bit):7.826690532591528
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:X4+S5daND8PRZtBKjUr+vkzCE9D44dQM2J/nxm+kAS1KGF:XlGxtEjfczD9lQM4Inl
                                                                                                                                                                                MD5:4F169AC52006310BB5956187AF719865
                                                                                                                                                                                SHA1:5907E27014D30459102A21BED4BC082C78C1FB6C
                                                                                                                                                                                SHA-256:5248E60F5FAA0C281A4872FFEC1F28F2D723FA354E8FE0B4C355FA13E5883884
                                                                                                                                                                                SHA-512:E4955D2241C20432CA9DE31553E1CECDE44B59BD5139193D883C341A1CB60606C8C93B57546191B046CAB1D8DC47C55037EE49E97A4A873C30AEF8B590742055
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR..............I.L....pHYs..$...$...c.... .IDATx....U\G.7.Sw...F...L...H..p.b"...8...F....@.."."......h.?8.]U.y.b...e.......4...a........z.q:.ye.._F...W.b)........&.hMJ..0..&......x..]G...H)..k.........*.....,.|Y.[.>V.).E.C....s._..F.......4/....%.s.~.`01e3.ga..mD.17.$.t<..&...9"Nz..r.z.q8..Vw[..~|l.y...W....N.w/}.).....l]...EK...........2.W<...g*....4.Q.....w.{6.2.M...)...?v....)..?..SJy...0.g.z..N.Ss?.zr.....].w..w;..X....{....x.~.>..z.h......._.B......b....Rn.wT>.o......?RJyM.4".....N.<.n....hY`.[X.....O....v.....<.3<...5|P..J....p...L4...Z.P*..}.h....)...R..j.gL........,(>.\.O.`F...q..d[.G.E.J....Uc.P..\.b.......U..<.,.z,?.~...8..7v%U*.C`.6.n.....Ti..RL}..f.......eJ.....n.....,".t..6[..>GD...9.).Rc.'uw>.Sg.....|.z..}....Xk.*..6k...n...Z.[..`C.Wb=..*.O7w.)Jp....M.!.p..J)....1....+...|..<.]..\V..........u..R.-.k..nV9.P...7..Xig...S.D\....Khes..P9.M...7..m*......^.S)....o.j....}.{.`...J..e...<x..g@..@;.JXu....p....{.k.v.y.:.)h.?m~`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\is-BK2S0.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1703 x 789, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36484
                                                                                                                                                                                Entropy (8bit):7.826690532591528
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:X4+S5daND8PRZtBKjUr+vkzCE9D44dQM2J/nxm+kAS1KGF:XlGxtEjfczD9lQM4Inl
                                                                                                                                                                                MD5:4F169AC52006310BB5956187AF719865
                                                                                                                                                                                SHA1:5907E27014D30459102A21BED4BC082C78C1FB6C
                                                                                                                                                                                SHA-256:5248E60F5FAA0C281A4872FFEC1F28F2D723FA354E8FE0B4C355FA13E5883884
                                                                                                                                                                                SHA-512:E4955D2241C20432CA9DE31553E1CECDE44B59BD5139193D883C341A1CB60606C8C93B57546191B046CAB1D8DC47C55037EE49E97A4A873C30AEF8B590742055
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR..............I.L....pHYs..$...$...c.... .IDATx....U\G.7.Sw...F...L...H..p.b"...8...F....@.."."......h.?8.]U.y.b...e.......4...a........z.q:.ye.._F...W.b)........&.hMJ..0..&......x..]G...H)..k.........*.....,.|Y.[.>V.).E.C....s._..F.......4/....%.s.~.`01e3.ga..mD.17.$.t<..&...9"Nz..r.z.q8..Vw[..~|l.y...W....N.w/}.).....l]...EK...........2.W<...g*....4.Q.....w.{6.2.M...)...?v....)..?..SJy...0.g.z..N.Ss?.zr.....].w..w;..X....{....x.~.>..z.h......._.B......b....Rn.wT>.o......?RJyM.4".....N.<.n....hY`.[X.....O....v.....<.3<...5|P..J....p...L4...Z.P*..}.h....)...R..j.gL........,(>.\.O.`F...q..d[.G.E.J....Uc.P..\.b.......U..<.,.z,?.~...8..7v%U*.C`.6.n.....Ti..RL}..f.......eJ.....n.....,".t..6[..>GD...9.).Rc.'uw>.Sg.....|.z..}....Xk.*..6k...n...Z.[..`C.Wb=..*.O7w.)Jp....M.!.p..J)....1....+...|..<.]..\V..........u..R.-.k..nV9.P...7..Xig...S.D\....Khes..P9.M...7..m*......^.S)....o.j....}.{.`...J..e...<x..g@..@;.JXu....p....{.k.v.y.:.)h.?m~`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\is-DEUCN.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1703 x 789, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36484
                                                                                                                                                                                Entropy (8bit):7.826690532591528
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:X4+S5daND8PRZtBKjUr+vkzCE9D44dQM2J/nxm+kAS1KGF:XlGxtEjfczD9lQM4Inl
                                                                                                                                                                                MD5:4F169AC52006310BB5956187AF719865
                                                                                                                                                                                SHA1:5907E27014D30459102A21BED4BC082C78C1FB6C
                                                                                                                                                                                SHA-256:5248E60F5FAA0C281A4872FFEC1F28F2D723FA354E8FE0B4C355FA13E5883884
                                                                                                                                                                                SHA-512:E4955D2241C20432CA9DE31553E1CECDE44B59BD5139193D883C341A1CB60606C8C93B57546191B046CAB1D8DC47C55037EE49E97A4A873C30AEF8B590742055
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR..............I.L....pHYs..$...$...c.... .IDATx....U\G.7.Sw...F...L...H..p.b"...8...F....@.."."......h.?8.]U.y.b...e.......4...a........z.q:.ye.._F...W.b)........&.hMJ..0..&......x..]G...H)..k.........*.....,.|Y.[.>V.).E.C....s._..F.......4/....%.s.~.`01e3.ga..mD.17.$.t<..&...9"Nz..r.z.q8..Vw[..~|l.y...W....N.w/}.).....l]...EK...........2.W<...g*....4.Q.....w.{6.2.M...)...?v....)..?..SJy...0.g.z..N.Ss?.zr.....].w..w;..X....{....x.~.>..z.h......._.B......b....Rn.wT>.o......?RJyM.4".....N.<.n....hY`.[X.....O....v.....<.3<...5|P..J....p...L4...Z.P*..}.h....)...R..j.gL........,(>.\.O.`F...q..d[.G.E.J....Uc.P..\.b.......U..<.,.z,?.~...8..7v%U*.C`.6.n.....Ti..RL}..f.......eJ.....n.....,".t..6[..>GD...9.).Rc.'uw>.Sg.....|.z..}....Xk.*..6k...n...Z.[..`C.Wb=..*.O7w.)Jp....M.!.p..J)....1....+...|..<.]..\V..........u..R.-.k..nV9.P...7..Xig...S.D\....Khes..P9.M...7..m*......^.S)....o.j....}.{.`...J..e...<x..g@..@;.JXu....p....{.k.v.y.:.)h.?m~`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\is-JVP2O.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:GIF image data, version 89a, 76 x 103
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1270
                                                                                                                                                                                Entropy (8bit):5.422042590406756
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:2kEGY7peHU2k7N7DRhoZNtwNKzbEqNpmRRmJyMnM4RRwd5YErFcZ4E:PHU2k7N7YtG8EqNwbmIMnsd5hcZD
                                                                                                                                                                                MD5:ED63705020F5409BD91BE4B848250F7E
                                                                                                                                                                                SHA1:C2604114F4B24BE1F24DC8640818E8A5C076B0F6
                                                                                                                                                                                SHA-256:6CAA261B46150667B4B9F21E3C58F9594460C2582DEB5D5F7605567EC8ABEB07
                                                                                                                                                                                SHA-512:CAE29BDCE94E7CD5281418726887818AEF0CD8B59966706E2AA5FB6E639B95B2B21F179CDA6892F6C7B5A6A75F3D8EBEF6262E7829FE8407CE1183E6D4AB003F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:GIF89aL.g.................................................................................................................................3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f..............3..f.............3..f.........3..3.33.f3..3..3..33.33333f33.33.33.3f.3f33ff3f.3f.3f.3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f3.f33f3ff3.f3.f3.ff.ff3fffff.ff.ff.f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........3..33.3f.3..3.3..f..f3.ff.f..f.f......3..f.............3..f............3..f.............3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f....3.f...........3..f.............3..f..............3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f..............3..f.............3..f.........!.......,....L.g........H......*\....#J.H....3j.... C..I...(S.\...0c.I...8s.D....>......A....T...@...B=J5i.C....s..Y."...)Y........Z!......J....v,_.\....20C.I.b......6.{.qZ.....r.c.#=o.(.bi..O.=.uk.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\rdmLogo.png (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PNG image data, 1703 x 789, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36484
                                                                                                                                                                                Entropy (8bit):7.826690532591528
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:X4+S5daND8PRZtBKjUr+vkzCE9D44dQM2J/nxm+kAS1KGF:XlGxtEjfczD9lQM4Inl
                                                                                                                                                                                MD5:4F169AC52006310BB5956187AF719865
                                                                                                                                                                                SHA1:5907E27014D30459102A21BED4BC082C78C1FB6C
                                                                                                                                                                                SHA-256:5248E60F5FAA0C281A4872FFEC1F28F2D723FA354E8FE0B4C355FA13E5883884
                                                                                                                                                                                SHA-512:E4955D2241C20432CA9DE31553E1CECDE44B59BD5139193D883C341A1CB60606C8C93B57546191B046CAB1D8DC47C55037EE49E97A4A873C30AEF8B590742055
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR..............I.L....pHYs..$...$...c.... .IDATx....U\G.7.Sw...F...L...H..p.b"...8...F....@.."."......h.?8.]U.y.b...e.......4...a........z.q:.ye.._F...W.b)........&.hMJ..0..&......x..]G...H)..k.........*.....,.|Y.[.>V.).E.C....s._..F.......4/....%.s.~.`01e3.ga..mD.17.$.t<..&...9"Nz..r.z.q8..Vw[..~|l.y...W....N.w/}.).....l]...EK...........2.W<...g*....4.Q.....w.{6.2.M...)...?v....)..?..SJy...0.g.z..N.Ss?.zr.....].w..w;..X....{....x.~.>..z.h......._.B......b....Rn.wT>.o......?RJyM.4".....N.<.n....hY`.[X.....O....v.....<.3<...5|P..J....p...L4...Z.P*..}.h....)...R..j.gL........,(>.\.O.`F...q..d[.G.E.J....Uc.P..\.b.......U..<.,.z,?.~...8..7v%U*.C`.6.n.....Ti..RL}..f.......eJ.....n.....,".t..6[..>GD...9.).Rc.'uw>.Sg.....|.z..}....Xk.*..6k...n...Z.[..`C.Wb=..*.O7w.)Jp....M.!.p..J)....1....+...|..<.]..\V..........u..R.-.k..nV9.P...7..Xig...S.D\....Khes..P9.M...7..m*......^.S)....o.j....}.{.`...J..e...<x..g@..@;.JXu....p....{.k.v.y.:.)h.?m~`.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-26VR9.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with very long lines (608), with CRLF, LF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):25248
                                                                                                                                                                                Entropy (8bit):4.535394761469598
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:GxehBcD+eqacKS2MKfeJNzG51IBRXXRuaKlpNAiANMW++Ecq:Gxe/cDGacKS2ri9NBu3Ao
                                                                                                                                                                                MD5:41E3D157C9F798864CF43D5D06B1B9B0
                                                                                                                                                                                SHA1:A21EEBBBB4731FC3CDDC7D991B0F09DF98CA38E9
                                                                                                                                                                                SHA-256:82E4E1E2308985217975220A67F77CA88C5314D6596B936651F1F276C84FE705
                                                                                                                                                                                SHA-512:976504083CDA58FE2AEF13B7E8F0F55B37B3AF83AA9A32EAAB0F5282DBA110C8D8B32DF7E270F613113E2B5FC1E2E97CE031F41DD209F438771DA37C28327A37
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>ITMS Download Agent</title>.. .. <script>.. if(!window.jQuery).. {.. // must be loading this page outside of our index page, need to load jquery.. var link = document.createElement('link');.. link.rel = "stylesheet";.. link.type = "text/css";.. link.href = "css/smoothness/jquery-ui-1.10.4.custom.min.css";.. document.getElementsByTagName('head')[0].appendChild(link);.... var script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-1.11.1.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-ui-1.10.4.custom.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. }.. </script>.... <script src="js/RDMFileDownload.js

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-279A9.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11622
                                                                                                                                                                                Entropy (8bit):4.857450404916044
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:yfH0r8C1rCUXDcHoHl6mHLCMXTBXcSfcxH0:y/0r8QrCUXDael68LCMXFMSfcxH0
                                                                                                                                                                                MD5:5459FAA5C92FBC7A4BABDF42DA898D0C
                                                                                                                                                                                SHA1:DC869A04188C349EF196FF28712BE5FF688277EA
                                                                                                                                                                                SHA-256:2B06B69E50F0A6208494783389A1982B0A37B3F0DDD998BB75A7F99761ED1A3C
                                                                                                                                                                                SHA-512:6BE248A7054DF13EF5FD4ABE668C5449C6F1278E1CBAAFF7E7251C605BB7DFF2C6803A1409466A346335BA844A3D8CFCD09DE57E0152C8FDB6C56F533F51FA6F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>Endorsement Settings</title>.. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>.. <script id="endorsementsJS" type="text/javascript">...... var sharedObject;.... function OnEndorseSettingsPageLoad() {.. if (window.showModalDialog) {.. sharedObject = window.dialogArguments;.. }.. else {.. sharedObject = window.opener.GetDialogArguments(); // callback to get object.. }.... var DeviceID = sharedObject.document.getElementById("DeviceID");.. var configXML = "<additionaldata>";.. configXML = configXML + sharedObject.GetScannerConfiguration(DeviceID.options[DeviceID.selectedIndex].value, false);.. configXML = configXML + "</additionaldata>";.. var xmlDoc = $.parseXML(configXML);.... $physicalEndorsement = $(xmlDoc).find("PhysicalEn

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-7EV1H.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11222
                                                                                                                                                                                Entropy (8bit):4.906615747950895
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:xWv/rVEWWgcGLjqayPyeTb8Ap4gqQ+M8ddspnW:xlnaS7EAR+M8PEnW
                                                                                                                                                                                MD5:4404937977A219AE6C282C86BC2E3588
                                                                                                                                                                                SHA1:BBF9498F2E2DB853B6FAB2EC8C0D2DE9DC0233E0
                                                                                                                                                                                SHA-256:92144E3BD70A3DB922443EDFAAF040083804569FCE67E5A62604BFCEF98EC6BF
                                                                                                                                                                                SHA-512:C68B375DBB23BBC5B19C9F0BA439F6F50745F61E3B279ED208D9B8BF58D034DC7DC65A464D7312F66233AB10993684D038FD584C480C4814B942BD3A8B61633F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!DOCTYPE html>..<html language="en">..<head>..<meta charset="utf-8">...<title>RDM - Scanner</title>...<meta name="description" content="Transform your Payments with RDM RDM Corporation is a provider of Remote Deposit Capture (RDC), integrated receivables and payment processing solutions designed to help clients simplify the way they do business.">.. <meta name="author" content="Geoff Culley - RDM Corporation">.... <link rel="stylesheet" href="css/smoothness/jquery-ui-1.10.4.custom.min.css">...<script src="js/jquery-1.11.1.min.js"></script>...<script src="js/jquery-ui-1.10.4.custom.min.js"></script>.... <script>....$(function() { $( "#tabs" ).tabs({active: 1}); });...</script>.... <style>.. .body{.....width: 100%;.. height:100%;...... padding:0;.. margin:0;.....font-family:helvetica,sans-serif;.....background-color:#f2f2f2;....}.... li a{.. outline:none;.. }.... #wrapper{.. min-height:100%;..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-BS55I.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15622
                                                                                                                                                                                Entropy (8bit):4.652831581163575
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:Oz7Ef0HdBrYjW17UKvyP5FUyWUnndXMNMasqve7mwm1Crxyw4:OsSdBrYjW17UKv65FUyWEndXMarZ4
                                                                                                                                                                                MD5:4E586642F7781A6E3CAF7898F93F1FED
                                                                                                                                                                                SHA1:40B52B3CF2808073270AFBCCA9830BC395062B83
                                                                                                                                                                                SHA-256:CDD71A5656EBF218BB2D94457D2930DC79D81F899B2A3D8A3A1634442554F6C8
                                                                                                                                                                                SHA-512:6ADB03888A5B2363AD842738AE4D323EF7E712534FFCAE82B5F2E87106A39EADB12D010261258C480821B0EA3543A6937D77046776DF78B020A9C6D34C7E897B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>Additional Settings</title>.. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>.. <script id="miscsettingsJS" type="text/javascript">...... var sharedObject;.... function OnMiscSettingsPageLoad() {.. if (window.showModalDialog) {.. sharedObject = window.dialogArguments;.. }.. else {.. sharedObject = window.opener.GetDialogArguments(); // callback to get object.. }.... var DeviceID = sharedObject.document.getElementById("DeviceID");.... // disable any invalid options.. chkWantCodeline.disabled = true;.. chkCropImage.disabled = true;.. var ScannerVendor = sharedObject.document.getElementById("ScannerModel");.. //if (ScannerVendor.value != "SCI") {.. // RemoveSelectByValue("ReturnedImages", "front,rear,auxFront,aux

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-CAKN2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2999
                                                                                                                                                                                Entropy (8bit):3.9357714030301936
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:QEipEr2in2hH6WOtfcHi18SG7EG+WZ4WN83+/pDv6j6dtimCiw4bPL1yrKDbSBv6:HK1FROta08t7E/gbN1pv6u04bPL1ye
                                                                                                                                                                                MD5:7DAA7CFF4BDB6A6B4C33AECA089DEBFF
                                                                                                                                                                                SHA1:04118F802E9DAAA1EFF20B00E333AA011340856C
                                                                                                                                                                                SHA-256:68ED09555E1B0D56AA83887C3F8B086359C337897149BC9C2854373FDCDA75A3
                                                                                                                                                                                SHA-512:DC39F36273A4B104708628F6ED3D965BBF778E64671339D200A09B7E80739B8D9FFF88B9C16040BEAAF466EC49A1C64BE36C13B05E8987F0DD4B1FA0CCD9A298
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:...... ..........&... ..............(... ...@...................................................................................................................p...............x................................8..............t@................@..............L.@................C..................p..........L...............L...D...........t....D8..........L....D..........DDDDDD......................................................333330.........x;.....H.........x;....8..........s;...............s....................8p..............4..............................3..p.............;8...............3w..............x..............................................................?....................................................................................?...........?....(... ...@..............................................................................................""".))).UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-CTMV9.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):43367
                                                                                                                                                                                Entropy (8bit):4.531521815386101
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:qxe4deVLSh44rBLEXrGaaNmKS2Cg2sMGgxJTt3g38kos0u6rZjASgLq0w:qxe4DJNmKS2VMNZtuoZH
                                                                                                                                                                                MD5:7FA0B7B0DC9284A17618C73FDD20A983
                                                                                                                                                                                SHA1:2A2162A4998AC8C3AAE349392E6E9BBF03C9E42E
                                                                                                                                                                                SHA-256:44E7EF139E5DFD4EFEE3A806C0C56B45814096CC2183E4E05877FAC5226436B6
                                                                                                                                                                                SHA-512:A005D9CED8CBFA903020FFE1E0129F1253B8C7FBE6012884B0C4818F170E9DCE2ED30684FDC353D3ED145FD12FB43E76691F5A49A1128D5AD42AAA1197CE1C06
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <title>ITMS Scanner</title>.. .. <script>.. if(!window.jQuery).. {.. // must be loading this page outside of our index page, need to load jquery.. var link = document.createElement('link');.. link.rel = "stylesheet";.. link.type = "text/css";.. link.href = "css/smoothness/jquery-ui-1.10.4.custom.min.css";.. document.getElementsByTagName('head')[0].appendChild(link);.... var script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-1.11.1.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-ui-1.10.4.custom.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. }..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-G78C4.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):42675
                                                                                                                                                                                Entropy (8bit):4.637657121816673
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:iLFkJLEsm17ztfMlzzCqd3R0WgrOMSKP/3Sx9TbUkcCDESxDME/Ogr+GN5J6eZ36:iLFQyQ394k5DX+/s8FAdVghXFi8NifMF
                                                                                                                                                                                MD5:CFE3EFB0072A24800CE4CD451B1908EF
                                                                                                                                                                                SHA1:E4E910E982F559E8B98E37C7303DE15DD7B88FEB
                                                                                                                                                                                SHA-256:FD62ACB879187BC4754E692109F0A6C4A11CBD0258992AD4159E2A3AB0B27BAE
                                                                                                                                                                                SHA-512:198237443B841DDC84BFEC25B79885BBF1B5D49F15783BFE8DE351E4AE72B2276C37D335417E90C549E4E7A9A0C19FFA738C0190864FACBF9BD484DDBEA99783
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!doctype html>.<html lang="en">.<head>. <meta charset="utf-8" />. <meta http-equiv="Content-Type" content="text/html;charset=utf-8">. <meta http-equiv="Cache-control" content="no-store, no-cache, must-revalidate">. <meta name="description" content="SCM SAPI Scanner Test for QE">. <meta name="author" content="Frank McGovern - RDM Corporation a Deluxe Company">. <style>. #RecoveryDiv {. width: 720px;. padding: 5px 0;. text-align: center;. background-color: lightblue;. margin-top: 5px;. }. </style>.. <title>SCM SAPI Scanner Test</title>. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>. <script type="text/javascript" src="js/jquery-ui-1.10.4.custom.min.js"></script>. <script type="text/javascript" src="js/sapi.js"></script>. <script type="text/javascript" src="js/sapiconstants.js"></script>.. <link type="text/css" rel="stylesheet" href="css/qescm.css">.. <s

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-HSOM1.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3838
                                                                                                                                                                                Entropy (8bit):5.088460692091686
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:BeuhLvClxA2HwBuE/Yjw/2lg6Y182BoNBdutalj2lxArHw32ly6Y182BoNB6kY0w:BJvl5BuU22QrpE32oQOK2ghdfgBfp
                                                                                                                                                                                MD5:F108F9ADD9825EB6AAE9F5297536C2C9
                                                                                                                                                                                SHA1:EF4D740B1105D5206978D34792E872D3A8A407E9
                                                                                                                                                                                SHA-256:3E7398F9667561DD5FB5CD0A1F5D5D0DF8A7F35D727B0019A21E10961A77B542
                                                                                                                                                                                SHA-512:B5B3C624E99C8AC61EB3E0B96F3A36D5ECA484D4BD33235667053CEF26C57FFEF3107859CB38939EB3F999ABF2A59CF91029985D1DDD689EACFBB70211C630E9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<html>..<head>..<script language="JavaScript" type="text/javascript">.... var SCM_Test_User="SCM_Test_Command";.. var SCM_Test_Host="https://localhost:736/SCM/4.0/scm.esp";.// Default......function scm_cmd_post(func, parm) // Post async request and let event do update..{.. var hr = new XMLHttpRequest();.....// Access the onerror event for the XMLHttpRequest object.. hr.onerror = function() {....alert("Error: Failed Accessing Device Interface !!");...}.... hr.open("POST", SCM_Test_Host, true);.... // Set content type header information for sending url encoded variables in the request.. hr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");.... // Access the onreadystatechange event for the XMLHttpRequest object.. hr.onreadystatechange = function() {... if (hr.readyState == 4 && hr.status == 200) {.... var return_data = hr.responseText;.....document.getElementById("txtTestResponse").value = "Async Post Result:\r\n"+return_data;...

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\RDMFileDownload.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):9241
                                                                                                                                                                                Entropy (8bit):4.8412854529644305
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:PHvbkLqV2m51fnhzHXup/BrdKDqCnql40ORaB:PHTkLz0V+pZrKqv4G
                                                                                                                                                                                MD5:95311A989A8D48ED1E283DD2DD5AC784
                                                                                                                                                                                SHA1:EE93E11B782726F9B79ACB7B4A71D0EE0323E480
                                                                                                                                                                                SHA-256:33D45F327D80F21158D889A444712FB09BB8E382C0D039F7F1656DA5845233D3
                                                                                                                                                                                SHA-512:127DD7EB0128A2EEB7A5272CD9D93C61EE864F6647A79504C68043746391CBF586817FE267A273EED1E362213F01ADFD2480CB432FCBE7AE8C668F971A345491
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*.. *.Module to package up a file download and subsequent upload to RDMAppweb for installation... * User only has to call DoFileDownload(url, exceptionHandlerName), where:.. * url = url to download.. * exceptionHandlerName = function name of exception handler that will receive exception response xml. Handler must.. * have the following prototype: exceptionHandlerName(xmlExceptionXMLString).. */......var DF_User = "DA_UserId";..var DF_Host = "https://localhost:736/SCM/4.0/da.esp";..var BYTES_PER_CHUNK = 5000000;..var base64Data = "";..var PB;......// jQuery ajax transport for making binary data type requests...// Use this transport for "binary" data transfers...$.ajaxTransport("+binary", function (options, originalOptions, jqXHR) {.. // check for conditions and support for blob / arraybuffer response type.. if ((options.dataType && (options.dataType == 'binary')) || (options.data && ((window.ArrayBuffer && options.data instanceof ArrayBuffe

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-111AP.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):282944
                                                                                                                                                                                Entropy (8bit):5.083336235252651
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:8L7hmFRcHCAkwxc5c84OfkK0alZOVJFpqfzf382b6YI1f8sA20MR:85O4OfgsZcIu1f1AUR
                                                                                                                                                                                MD5:3B80424646A7ECDB19273D86800C1AC0
                                                                                                                                                                                SHA1:6945741107601D402C70A13CE46EB72FD1168BC8
                                                                                                                                                                                SHA-256:CE0343E1D6F489768EEEFE022C12181C6A0822E756239851310ACF076D23D10C
                                                                                                                                                                                SHA-512:E68CAB6907368B1598E97BB86F44A788DEA3EF9480AB4A110FD21F280BD6DFA2CEB1DB3BD49A781816D4F78BEF7A333A0B20F0D2715B78516754C98D6E7E190C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*!. * jQuery JavaScript Library v1.11.0. * http://jquery.com/. *. * Includes Sizzle.js. * http://sizzlejs.com/. *. * Copyright 2005, 2014 jQuery Foundation, Inc. and other contributors. * Released under the MIT license. * http://jquery.org/license. *. * Date: 2014-01-23T21:02Z. */..(function( global, factory ) {...if ( typeof module === "object" && typeof module.exports === "object" ) {...// For CommonJS and CommonJS-like environments where a proper window is present,...// execute the factory and get jQuery...// For environments that do not inherently posses a window with a document...// (such as Node.js), expose a jQuery-making factory as module.exports...// This accentuates the need for the creation of a real window...// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info...module.exports = global.document ?....factory( global, true ) :....function( w ) {.....if ( !w.document ) {......throw new Error( "jQuery requires a window with a document" );.....}.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-16MDM.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (64560)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):228539
                                                                                                                                                                                Entropy (8bit):5.152646332443805
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:mnhStzLZwyt83OegZBPit/FoCv62jHesF7XWzx9GV1+1/4L9fSz8:gAFx+2UB62besF7XWzx9G
                                                                                                                                                                                MD5:202A3D794B47E0CB0638B465301769DD
                                                                                                                                                                                SHA1:5395BA95100F253A28143410CB02C58BDC8E6DFF
                                                                                                                                                                                SHA-256:FD2A5EDD4D12D6B68A50C69877DB293E83787ACCEA605FF53817FB45F91CAA16
                                                                                                                                                                                SHA-512:FAB7F2613D5E0716BDC9532DD638B6005E3828A59917795CBE095E2E12E38B0B2A50DB9FD545B97D3D06325221E01E8C8F5145E413D51CD949D0BD387DA0EB25
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*! jQuery UI - v1.10.4 - 2014-01-19.* http://jqueryui.com.* Includes: jquery.ui.core.js, jquery.ui.widget.js, jquery.ui.mouse.js, jquery.ui.position.js, jquery.ui.draggable.js, jquery.ui.droppable.js, jquery.ui.resizable.js, jquery.ui.selectable.js, jquery.ui.sortable.js, jquery.ui.accordion.js, jquery.ui.autocomplete.js, jquery.ui.button.js, jquery.ui.datepicker.js, jquery.ui.dialog.js, jquery.ui.menu.js, jquery.ui.progressbar.js, jquery.ui.slider.js, jquery.ui.spinner.js, jquery.ui.tabs.js, jquery.ui.tooltip.js, jquery.ui.effect.js, jquery.ui.effect-blind.js, jquery.ui.effect-bounce.js, jquery.ui.effect-clip.js, jquery.ui.effect-drop.js, jquery.ui.effect-explode.js, jquery.ui.effect-fade.js, jquery.ui.effect-fold.js, jquery.ui.effect-highlight.js, jquery.ui.effect-pulsate.js, jquery.ui.effect-scale.js, jquery.ui.effect-shake.js, jquery.ui.effect-slide.js, jquery.ui.effect-transfer.js.* Copyright 2014 jQuery Foundation and other contributors; Licensed MIT */..(function(e,t){function

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-2SN5D.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):13945
                                                                                                                                                                                Entropy (8bit):4.789463042290839
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:Trx7pT23ki75/23kiiPvom0akcU8jluDQMO3raekNAcGg1Zayn4:hti5uXmHkc3RuDjsf7g1ZaX
                                                                                                                                                                                MD5:00EC40C3AA384CC86A58BCCC83CFFD52
                                                                                                                                                                                SHA1:BFA37BC76A292F376A2318F2EB43F0B69F7E1A33
                                                                                                                                                                                SHA-256:156A7DDBAA02A7DC1BF236EA9E512D72EC84347CD35ECB99CB1793B9B88843D4
                                                                                                                                                                                SHA-512:2C61554DF6EA2331FD3E4C1EB56A13FFD7A3953BC7DA4AF5F610D0A72C74DEC80F8A7E7288A86917C826AF3CC1C3D5D83DBBB8791E8B19B65F1B141951726CED
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:// JavaScript source code....var SCMSAPI_USERID = "ScmSapiHtml";..var SAPI_HOST = "https://localhost:736/SCM/4.0/scm.esp";....var _SapiHostUrl = "";....var ResponseStatus = {.. OK: "Ok",.. EXCEPTION: "Exception",.. TIMEOUT: "Timeout"..};....var ExceptionType = {.. ERROR: "Error",.. RECOVERY: "Recovery",.. WARNING: "Warning",.. NOITEM: "NoMoreItems",.. DECISION: "AtDecisionPoint",.. STOP: "UserStopped",.. EVENT: "ScannerEvent"..};....var SapiApi = {.. UseNetworkScannerAppwebUrl: function (serialnumber) {.. _SapiHostUrl = "https://" + "RD" + serialnumber + "/SCM/4.0/scm.esp";.. },.... UseClientAppwebUrl: function () {.. _SapiHostUrl = SAPI_HOST;.. },.... FindScanners: function (parameterobj, callback) {.. SapiApi.PostSapiFunctionObject("FindScanners", parameterobj, callback);.. },.... ActivateScanner: function (parameterobj, callback) {.. SapiApi.PostSapiFunctionObject("ActivateScanner", parameterobj, callback

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-D2ITT.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2254
                                                                                                                                                                                Entropy (8bit):5.059274097319649
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:bJKVzATzKtAQCwn7wAqZLQaPIvLIw9IVV2l/+bewb0YwwkWr:bgVz+jwsAqZ6v0w9I/mw9wwVr
                                                                                                                                                                                MD5:186A8E49402CB6C7CD54D43A8269DA90
                                                                                                                                                                                SHA1:4D3A4F5EA1AB5B4E6DBE0D985600B8383D064A34
                                                                                                                                                                                SHA-256:916E73B03B6287D2B125AC610985C6A3A77DEFB48801F86A8EF0E2AF200625FD
                                                                                                                                                                                SHA-512:253FF718B7D67BC178FA281FD1EF17EDCFC6135408B1A5061FC76825D269EEBC48404338226DAEC406542FADB1C6103656E7467F11C94620C14CDBE94CAAAA39
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:var STATUS_DISCONNECTED.....= 0;..var STATUS_CONNECTED.....= 1;..var STATUS_CONNECT_ERROR....= 2;..var STATUS_DISCONNECTING....= 3;..var STATUS_CONNECTING.....= 4;..var STATUS_SCANNING......= 5;..var STATUS_SCANNING_ERROR....= 6;..var STATUS_SCANNING_INPUT....= 13;..var STATUS_STOPPING......= 14;..var STATUS_STOPPING_CANCEL....= 15;..var STATUS_STOPPING_HOPPEREMPTY...= 16;..var STATUS_INIT_FAILED.....= 17;..var STATUS_AUTODETECTING....= 18;..// Recovery Code: adding a recovery status..var STATUS_SCANNING_RECOVERY...= 19;..//the constant to track whether Flat bed scanner's cancel button was clicked..var CANCEL_TWAIN_FLATBED = 20;......var SCANNERMODEL_UNKNOWN....= -1;..var SCANNERMODEL_EMPTY.....= -2;..var SCANNERMODEL_EC6000.....= 1;..var SCANNERMODEL_ECSERIES ....= 2;..var SCANNERMODEL_DCC210.....= 4;..var SCANNERMODEL_DCC220.....= 5;..var SCANNERMODEL_DCC350.....= 6;..var SCANNERMODEL_PANINI.....= 7;..var SCANNERMODEL_DCC215.....= 8;..var SCANNERMODEL_DCC230.....= 9;..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-DMRHT.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (32086)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):95786
                                                                                                                                                                                Entropy (8bit):5.393689635062045
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:/PEkjP+iADIOr/NEe876nmBu3HvF38sEeLHFoqqhJ7SerN5wVI+xcBmPv7E+nzm6:ENMyqhJvN32cBC7M6Whca98HrB
                                                                                                                                                                                MD5:8101D596B2B8FA35FE3A634EA342D7C3
                                                                                                                                                                                SHA1:D6C1F41972DE07B09BFA63D2E50F9AB41EC372BD
                                                                                                                                                                                SHA-256:540BC6DEC1DD4B92EA4D3FB903F69EABF6D919AFD48F4E312B163C28CFF0F441
                                                                                                                                                                                SHA-512:9E1634EB02AB6ACDFD95BF6544EEFA278DFDEC21F55E94522DF2C949FB537A8DFEAB6BCFECF69E6C82C7F53A87F864699CE85F0068EE60C56655339927EEBCDB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){ret

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-R3RHU.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):9241
                                                                                                                                                                                Entropy (8bit):4.8412854529644305
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:PHvbkLqV2m51fnhzHXup/BrdKDqCnql40ORaB:PHTkLz0V+pZrKqv4G
                                                                                                                                                                                MD5:95311A989A8D48ED1E283DD2DD5AC784
                                                                                                                                                                                SHA1:EE93E11B782726F9B79ACB7B4A71D0EE0323E480
                                                                                                                                                                                SHA-256:33D45F327D80F21158D889A444712FB09BB8E382C0D039F7F1656DA5845233D3
                                                                                                                                                                                SHA-512:127DD7EB0128A2EEB7A5272CD9D93C61EE864F6647A79504C68043746391CBF586817FE267A273EED1E362213F01ADFD2480CB432FCBE7AE8C668F971A345491
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*.. *.Module to package up a file download and subsequent upload to RDMAppweb for installation... * User only has to call DoFileDownload(url, exceptionHandlerName), where:.. * url = url to download.. * exceptionHandlerName = function name of exception handler that will receive exception response xml. Handler must.. * have the following prototype: exceptionHandlerName(xmlExceptionXMLString).. */......var DF_User = "DA_UserId";..var DF_Host = "https://localhost:736/SCM/4.0/da.esp";..var BYTES_PER_CHUNK = 5000000;..var base64Data = "";..var PB;......// jQuery ajax transport for making binary data type requests...// Use this transport for "binary" data transfers...$.ajaxTransport("+binary", function (options, originalOptions, jqXHR) {.. // check for conditions and support for blob / arraybuffer response type.. if ((options.dataType && (options.dataType == 'binary')) || (options.data && ((window.ArrayBuffer && options.data instanceof ArrayBuffe

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\jquery-1.11.0.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):282944
                                                                                                                                                                                Entropy (8bit):5.083336235252651
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:8L7hmFRcHCAkwxc5c84OfkK0alZOVJFpqfzf382b6YI1f8sA20MR:85O4OfgsZcIu1f1AUR
                                                                                                                                                                                MD5:3B80424646A7ECDB19273D86800C1AC0
                                                                                                                                                                                SHA1:6945741107601D402C70A13CE46EB72FD1168BC8
                                                                                                                                                                                SHA-256:CE0343E1D6F489768EEEFE022C12181C6A0822E756239851310ACF076D23D10C
                                                                                                                                                                                SHA-512:E68CAB6907368B1598E97BB86F44A788DEA3EF9480AB4A110FD21F280BD6DFA2CEB1DB3BD49A781816D4F78BEF7A333A0B20F0D2715B78516754C98D6E7E190C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*!. * jQuery JavaScript Library v1.11.0. * http://jquery.com/. *. * Includes Sizzle.js. * http://sizzlejs.com/. *. * Copyright 2005, 2014 jQuery Foundation, Inc. and other contributors. * Released under the MIT license. * http://jquery.org/license. *. * Date: 2014-01-23T21:02Z. */..(function( global, factory ) {...if ( typeof module === "object" && typeof module.exports === "object" ) {...// For CommonJS and CommonJS-like environments where a proper window is present,...// execute the factory and get jQuery...// For environments that do not inherently posses a window with a document...// (such as Node.js), expose a jQuery-making factory as module.exports...// This accentuates the need for the creation of a real window...// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info...module.exports = global.document ?....factory( global, true ) :....function( w ) {.....if ( !w.document ) {......throw new Error( "jQuery requires a window with a document" );.....}.

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\jquery-1.11.1.min.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (32086)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):95786
                                                                                                                                                                                Entropy (8bit):5.393689635062045
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:/PEkjP+iADIOr/NEe876nmBu3HvF38sEeLHFoqqhJ7SerN5wVI+xcBmPv7E+nzm6:ENMyqhJvN32cBC7M6Whca98HrB
                                                                                                                                                                                MD5:8101D596B2B8FA35FE3A634EA342D7C3
                                                                                                                                                                                SHA1:D6C1F41972DE07B09BFA63D2E50F9AB41EC372BD
                                                                                                                                                                                SHA-256:540BC6DEC1DD4B92EA4D3FB903F69EABF6D919AFD48F4E312B163C28CFF0F441
                                                                                                                                                                                SHA-512:9E1634EB02AB6ACDFD95BF6544EEFA278DFDEC21F55E94522DF2C949FB537A8DFEAB6BCFECF69E6C82C7F53A87F864699CE85F0068EE60C56655339927EEBCDB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){ret

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\jquery-ui-1.10.4.custom.min.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with very long lines (64560)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):228539
                                                                                                                                                                                Entropy (8bit):5.152646332443805
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:mnhStzLZwyt83OegZBPit/FoCv62jHesF7XWzx9GV1+1/4L9fSz8:gAFx+2UB62besF7XWzx9G
                                                                                                                                                                                MD5:202A3D794B47E0CB0638B465301769DD
                                                                                                                                                                                SHA1:5395BA95100F253A28143410CB02C58BDC8E6DFF
                                                                                                                                                                                SHA-256:FD2A5EDD4D12D6B68A50C69877DB293E83787ACCEA605FF53817FB45F91CAA16
                                                                                                                                                                                SHA-512:FAB7F2613D5E0716BDC9532DD638B6005E3828A59917795CBE095E2E12E38B0B2A50DB9FD545B97D3D06325221E01E8C8F5145E413D51CD949D0BD387DA0EB25
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/*! jQuery UI - v1.10.4 - 2014-01-19.* http://jqueryui.com.* Includes: jquery.ui.core.js, jquery.ui.widget.js, jquery.ui.mouse.js, jquery.ui.position.js, jquery.ui.draggable.js, jquery.ui.droppable.js, jquery.ui.resizable.js, jquery.ui.selectable.js, jquery.ui.sortable.js, jquery.ui.accordion.js, jquery.ui.autocomplete.js, jquery.ui.button.js, jquery.ui.datepicker.js, jquery.ui.dialog.js, jquery.ui.menu.js, jquery.ui.progressbar.js, jquery.ui.slider.js, jquery.ui.spinner.js, jquery.ui.tabs.js, jquery.ui.tooltip.js, jquery.ui.effect.js, jquery.ui.effect-blind.js, jquery.ui.effect-bounce.js, jquery.ui.effect-clip.js, jquery.ui.effect-drop.js, jquery.ui.effect-explode.js, jquery.ui.effect-fade.js, jquery.ui.effect-fold.js, jquery.ui.effect-highlight.js, jquery.ui.effect-pulsate.js, jquery.ui.effect-scale.js, jquery.ui.effect-shake.js, jquery.ui.effect-slide.js, jquery.ui.effect-transfer.js.* Copyright 2014 jQuery Foundation and other contributors; Licensed MIT */..(function(e,t){function

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\sapi.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):13945
                                                                                                                                                                                Entropy (8bit):4.789463042290839
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:Trx7pT23ki75/23kiiPvom0akcU8jluDQMO3raekNAcGg1Zayn4:hti5uXmHkc3RuDjsf7g1ZaX
                                                                                                                                                                                MD5:00EC40C3AA384CC86A58BCCC83CFFD52
                                                                                                                                                                                SHA1:BFA37BC76A292F376A2318F2EB43F0B69F7E1A33
                                                                                                                                                                                SHA-256:156A7DDBAA02A7DC1BF236EA9E512D72EC84347CD35ECB99CB1793B9B88843D4
                                                                                                                                                                                SHA-512:2C61554DF6EA2331FD3E4C1EB56A13FFD7A3953BC7DA4AF5F610D0A72C74DEC80F8A7E7288A86917C826AF3CC1C3D5D83DBBB8791E8B19B65F1B141951726CED
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:// JavaScript source code....var SCMSAPI_USERID = "ScmSapiHtml";..var SAPI_HOST = "https://localhost:736/SCM/4.0/scm.esp";....var _SapiHostUrl = "";....var ResponseStatus = {.. OK: "Ok",.. EXCEPTION: "Exception",.. TIMEOUT: "Timeout"..};....var ExceptionType = {.. ERROR: "Error",.. RECOVERY: "Recovery",.. WARNING: "Warning",.. NOITEM: "NoMoreItems",.. DECISION: "AtDecisionPoint",.. STOP: "UserStopped",.. EVENT: "ScannerEvent"..};....var SapiApi = {.. UseNetworkScannerAppwebUrl: function (serialnumber) {.. _SapiHostUrl = "https://" + "RD" + serialnumber + "/SCM/4.0/scm.esp";.. },.... UseClientAppwebUrl: function () {.. _SapiHostUrl = SAPI_HOST;.. },.... FindScanners: function (parameterobj, callback) {.. SapiApi.PostSapiFunctionObject("FindScanners", parameterobj, callback);.. },.... ActivateScanner: function (parameterobj, callback) {.. SapiApi.PostSapiFunctionObject("ActivateScanner", parameterobj, callback

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\sapiconstants.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2254
                                                                                                                                                                                Entropy (8bit):5.059274097319649
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:bJKVzATzKtAQCwn7wAqZLQaPIvLIw9IVV2l/+bewb0YwwkWr:bgVz+jwsAqZ6v0w9I/mw9wwVr
                                                                                                                                                                                MD5:186A8E49402CB6C7CD54D43A8269DA90
                                                                                                                                                                                SHA1:4D3A4F5EA1AB5B4E6DBE0D985600B8383D064A34
                                                                                                                                                                                SHA-256:916E73B03B6287D2B125AC610985C6A3A77DEFB48801F86A8EF0E2AF200625FD
                                                                                                                                                                                SHA-512:253FF718B7D67BC178FA281FD1EF17EDCFC6135408B1A5061FC76825D269EEBC48404338226DAEC406542FADB1C6103656E7467F11C94620C14CDBE94CAAAA39
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:var STATUS_DISCONNECTED.....= 0;..var STATUS_CONNECTED.....= 1;..var STATUS_CONNECT_ERROR....= 2;..var STATUS_DISCONNECTING....= 3;..var STATUS_CONNECTING.....= 4;..var STATUS_SCANNING......= 5;..var STATUS_SCANNING_ERROR....= 6;..var STATUS_SCANNING_INPUT....= 13;..var STATUS_STOPPING......= 14;..var STATUS_STOPPING_CANCEL....= 15;..var STATUS_STOPPING_HOPPEREMPTY...= 16;..var STATUS_INIT_FAILED.....= 17;..var STATUS_AUTODETECTING....= 18;..// Recovery Code: adding a recovery status..var STATUS_SCANNING_RECOVERY...= 19;..//the constant to track whether Flat bed scanner's cancel button was clicked..var CANCEL_TWAIN_FLATBED = 20;......var SCANNERMODEL_UNKNOWN....= -1;..var SCANNERMODEL_EMPTY.....= -2;..var SCANNERMODEL_EC6000.....= 1;..var SCANNERMODEL_ECSERIES ....= 2;..var SCANNERMODEL_DCC210.....= 4;..var SCANNERMODEL_DCC220.....= 5;..var SCANNERMODEL_DCC350.....= 6;..var SCANNERMODEL_PANINI.....= 7;..var SCANNERMODEL_DCC215.....= 8;..var SCANNERMODEL_DCC230.....= 9;..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\DFD.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2435
                                                                                                                                                                                Entropy (8bit):4.800004037117997
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOSZ+Nn/GbibsfAoYTpobLpRN9DIqrMx:ApH/+/WfAoYTpoPpRTIqO
                                                                                                                                                                                MD5:B6A092DCF5932F7C4031BBAE214E5377
                                                                                                                                                                                SHA1:E4F8530FA9FB9B12166D3F206C34826462751C56
                                                                                                                                                                                SHA-256:D0301D852AEF2DE12CDEDD6ABD1E396EA479D39FEA897B09AFBE2767EDE86030
                                                                                                                                                                                SHA-512:EBDC0CE7AC5949748C7936788482C8062A0524656C8A0133FBD5AE4E60382271768A0A0F486E717BC44F4BF6CF9FF95FB53F76E8FEA4727671F1322F992C8BE8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>true</DoubleDocDetectEnabled>.. <DoubleDocThreshold></DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\Frank.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2434
                                                                                                                                                                                Entropy (8bit):4.802397601214804
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:Ap+OhZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:Ap+M+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:82A506D9EB608EB4AC1E2C2CA00E6DB5
                                                                                                                                                                                SHA1:54AF5F7F8FD9E5290F0A8AA62317D434A8CB7F65
                                                                                                                                                                                SHA-256:4AAB4377DCB51C1F367704D2DC8A510DE7256AB1D9D283918E510BA016B34FA3
                                                                                                                                                                                SHA-512:252199635D3A1D00B4900E44B6A8B2A714A83F9C21A039CE51F9B767EAD3DBF22870C1D859B109A30EF489B92F19726881A661562179213A4695568FEC7F83E9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\Logo.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2463
                                                                                                                                                                                Entropy (8bit):4.8141008898143145
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOhZ+Nn/GbibsfAoYTpoGkpRN9DIqrMx:ApHM+/WfAoYTpoFpRTIqO
                                                                                                                                                                                MD5:E9420005FFE39797B269B155679FA57F
                                                                                                                                                                                SHA1:C4DF624179BD6929CD6B1AF0041E82FEEB4945A3
                                                                                                                                                                                SHA-256:E164855CF50954B1DB75A4E7B26C91A4C702D0BFF67169E97F3F850B70B2F0FD
                                                                                                                                                                                SHA-512:F83E51B836E8D6DE9D987C564198B9EB3A7808F07068596026A88DC177F602660014840EF02A612F28EE8656EA2E310E436F85213F4446832E35CB3D55A27FD7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\PEndorse.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2456
                                                                                                                                                                                Entropy (8bit):4.8042428201422025
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOhZ+Nn/GbibvCAoYTpobLpRN9DIqrMx:ApHM+/BCAoYTpoPpRTIqO
                                                                                                                                                                                MD5:33953AFFF7BC693F3A43A4FFB8C8F246
                                                                                                                                                                                SHA1:B9124EFE18E420340DA9E22031CF8C43694732C3
                                                                                                                                                                                SHA-256:D9E02876CF4A30A19DD2C400459D26F99B7D5879EAE89441D71D7B456321703D
                                                                                                                                                                                SHA-512:2E234FB45AD94F0AA0001750E76663248ED7DB6CB7160456CBD45E239A53593AA8A758238F195C9479C80BA575D0D422F23714819CFA989F3189791E1F831D0C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\ScanItem.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2435
                                                                                                                                                                                Entropy (8bit):4.802539388842096
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOhZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHM+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:640F7ABB77347ED65E1F1DC5178A39E6
                                                                                                                                                                                SHA1:79B78C41A1AB54276871A2779FEB0212673353B7
                                                                                                                                                                                SHA-256:96D9D9D4E084E3A613849363639AA2FFFE960F43919A9C582020F1A572DC3948
                                                                                                                                                                                SHA-512:D90AB6EDE3D640CDA7FCC6310737D39D4D372E81786F4B5A325D18D07686DC51C621AF1E1D18EA52CD551524C51E13E4E819706FBB76A9AD9527A1557F8D97BB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StageAccept.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2434
                                                                                                                                                                                Entropy (8bit):4.802397601214804
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOeZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHR+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:450234ED909316D4530B35619DF29748
                                                                                                                                                                                SHA1:CCD2BDA1E96B47D516129AE60849354B045DBB48
                                                                                                                                                                                SHA-256:4A0CCCB41BE86930D3CAFC7DB21A839152F86EB605F0854616F13992AA7A8A66
                                                                                                                                                                                SHA-512:1A3172370F65DA31AFB62C9BE2986540F00B6F3EDE429C3B7EDA6496DEC9000B2423497F0017196B1316A53560300E07D0E052B9FC52A052DD4CD580AFA43CF6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StageEndorseFrank.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2448
                                                                                                                                                                                Entropy (8bit):4.802566723178274
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:Ap+OeZ+Nn/GbibvdTAoYTpoLLpRN9DIqrMx:Ap+R+/BBAoYTpo/pRTIqO
                                                                                                                                                                                MD5:D105186A9CBE53E2066F626F74BD3D40
                                                                                                                                                                                SHA1:87FC9988608C3F957E8A11235AB1A92ACC116AD5
                                                                                                                                                                                SHA-256:5710B45A359AE70D86C1A83F402282F33EADD60DD3E376CD1B19A46223318447
                                                                                                                                                                                SHA-512:B8ACAA948FAF0B08D2EAF55BCC50A273E0D56180F7A55E2A805C9113270936BF3790A30E73DDEFDABC7DADBF22DB0F146F7CB068EB198BBB7BAFF2499EB60224
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StageFrank.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2433
                                                                                                                                                                                Entropy (8bit):4.802174027638217
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:Ap+OeZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:Ap+R+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:3D487B9E931A89A3CE3D2C2A7B988F6B
                                                                                                                                                                                SHA1:82316073F4C52EF1CAF3C52B1F6DAD0CF15807A4
                                                                                                                                                                                SHA-256:9A7A50123C14825FEE2D1A9603626A84B19ADAB889741CA9775EF8E9829620B7
                                                                                                                                                                                SHA-512:FE1FEFF24FB20E4AF5447D481BA74AE4CA19DDF18F5D557CA33258F5EB6CBD95923CC9DE63E352711A3BA37F72543275CE6B83453945B79C3DF36E4AEB160A8B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StagePEndorse.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2449
                                                                                                                                                                                Entropy (8bit):4.802855095023468
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOeZ+Nn/GbibvdTAoYTpoLLpRN9DIqrMx:ApHR+/BBAoYTpo/pRTIqO
                                                                                                                                                                                MD5:6A5A5F89B38F524FE3413FF11AC15AA0
                                                                                                                                                                                SHA1:42B43B77B233F2651E41B8DDD29B832EE1E0E994
                                                                                                                                                                                SHA-256:34F69AADAEBEF3C1956F50E1377E64A2843FE070B55E280D5CDA57CC39BAD76D
                                                                                                                                                                                SHA-512:A304002DAF889C51522F0940A39E04B2AB16536E8FFD14D4BBC73A096F71ADC80CE8AD3CA257BB378AE1BC698D7FF436091FF27A34DDA5463C796D2ABA3D829C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StageReject.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2434
                                                                                                                                                                                Entropy (8bit):4.801355246563097
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOtZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHS+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:96D7F86F2424FB3C81DFA941BF2B06C7
                                                                                                                                                                                SHA1:0B7F2675B0EDEA524C54434C6478706BFCBC6C18
                                                                                                                                                                                SHA-256:89A26AFCAB8D83AF5AE90EFE8B2DE68633FF61066EF5ABAC4640E720067A39B8
                                                                                                                                                                                SHA-512:F330DA55092C629464684C13742DFC9736B05950EE5F4C21578050E286293F8AC44745A311EA34481AE139BE908EC6C8F9BF14CC07269E23BBE4FA3A06B196FC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>0</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\Test_Default.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2809
                                                                                                                                                                                Entropy (8bit):5.00659219460721
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:AGrN2Z5NonPbibwKY2osKu2oJRjkKKS2RNBBIAqrMx:AGrEpGfKY2osKu2oJRjkrS2R2AqO
                                                                                                                                                                                MD5:C300DDAF230F3789ADC4DC805229245D
                                                                                                                                                                                SHA1:7E80DA3FA76D8BD7893B8A9FF59F81010D5E5F7D
                                                                                                                                                                                SHA-256:12F68599A82951D345E1AFE8298259389BC43DDC2E908BAACD6A355AE0945570
                                                                                                                                                                                SHA-512:CDA4B9D1A0D54FF8EE657067C963D464414A3BCB67187DBB56EB833405515A14449F3763B8BC812ED2B299CD01E67207731C6B3D48DE71666F88F8B6A83A3240
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal[imgonly|card|msr]</ScanningMode>.. <FrankingEnabled>false[true]</FrankingEnabled>.. <WantCodeline>true[false]</WantCodeline>.. <ReturnedImages>front[,rear]</ReturnedImages>.. <StageDocuments>false[true]</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>true[false]</DoubleDocDetectEnabled>.. <DoubleDocThreshold>[value from 0-100]</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true[false]</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW[Gray|Color]</Color>.. <Compression>G4[JPEG|None]</Compression>.. <Format>RAW[TIFF|MULTITIFF|BMP|DIB]</Format>.. <DPI>200[100,300,600]</DPI>.. <CropImage>Yes[No]</CropImage>.. <ImageSizeT

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\VEndorse.xml (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2455
                                                                                                                                                                                Entropy (8bit):4.801955747824934
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOhZ+Nn/GbibsfAojspobLpRN9DIqrMx:ApHM+/WfAojspoPpRTIqO
                                                                                                                                                                                MD5:8AA824E7A317631798B2AC260F01DA51
                                                                                                                                                                                SHA1:7767B02B382D7923AD53A893139C7F4E4FBCCB96
                                                                                                                                                                                SHA-256:AE40FA98A38A4712BF3D702788FA25F2320D5F94D558CA1788F4C08A060F381B
                                                                                                                                                                                SHA-512:90A84D159026746969AD5259170EE02F5FBBDC95A270734151270DE8F4B11AB4B2D6734E15F3A775444597DA938ACB7B688905954D77DA12E7FA9071958E768A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-2SM1T.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2434
                                                                                                                                                                                Entropy (8bit):4.802397601214804
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOeZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHR+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:450234ED909316D4530B35619DF29748
                                                                                                                                                                                SHA1:CCD2BDA1E96B47D516129AE60849354B045DBB48
                                                                                                                                                                                SHA-256:4A0CCCB41BE86930D3CAFC7DB21A839152F86EB605F0854616F13992AA7A8A66
                                                                                                                                                                                SHA-512:1A3172370F65DA31AFB62C9BE2986540F00B6F3EDE429C3B7EDA6496DEC9000B2423497F0017196B1316A53560300E07D0E052B9FC52A052DD4CD580AFA43CF6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-3D33E.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2809
                                                                                                                                                                                Entropy (8bit):5.00659219460721
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:AGrN2Z5NonPbibwKY2osKu2oJRjkKKS2RNBBIAqrMx:AGrEpGfKY2osKu2oJRjkrS2R2AqO
                                                                                                                                                                                MD5:C300DDAF230F3789ADC4DC805229245D
                                                                                                                                                                                SHA1:7E80DA3FA76D8BD7893B8A9FF59F81010D5E5F7D
                                                                                                                                                                                SHA-256:12F68599A82951D345E1AFE8298259389BC43DDC2E908BAACD6A355AE0945570
                                                                                                                                                                                SHA-512:CDA4B9D1A0D54FF8EE657067C963D464414A3BCB67187DBB56EB833405515A14449F3763B8BC812ED2B299CD01E67207731C6B3D48DE71666F88F8B6A83A3240
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal[imgonly|card|msr]</ScanningMode>.. <FrankingEnabled>false[true]</FrankingEnabled>.. <WantCodeline>true[false]</WantCodeline>.. <ReturnedImages>front[,rear]</ReturnedImages>.. <StageDocuments>false[true]</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>true[false]</DoubleDocDetectEnabled>.. <DoubleDocThreshold>[value from 0-100]</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true[false]</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW[Gray|Color]</Color>.. <Compression>G4[JPEG|None]</Compression>.. <Format>RAW[TIFF|MULTITIFF|BMP|DIB]</Format>.. <DPI>200[100,300,600]</DPI>.. <CropImage>Yes[No]</CropImage>.. <ImageSizeT

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-66PBJ.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2434
                                                                                                                                                                                Entropy (8bit):4.801355246563097
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOtZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHS+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:96D7F86F2424FB3C81DFA941BF2B06C7
                                                                                                                                                                                SHA1:0B7F2675B0EDEA524C54434C6478706BFCBC6C18
                                                                                                                                                                                SHA-256:89A26AFCAB8D83AF5AE90EFE8B2DE68633FF61066EF5ABAC4640E720067A39B8
                                                                                                                                                                                SHA-512:F330DA55092C629464684C13742DFC9736B05950EE5F4C21578050E286293F8AC44745A311EA34481AE139BE908EC6C8F9BF14CC07269E23BBE4FA3A06B196FC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>0</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-C3EFP.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2463
                                                                                                                                                                                Entropy (8bit):4.8141008898143145
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOhZ+Nn/GbibsfAoYTpoGkpRN9DIqrMx:ApHM+/WfAoYTpoFpRTIqO
                                                                                                                                                                                MD5:E9420005FFE39797B269B155679FA57F
                                                                                                                                                                                SHA1:C4DF624179BD6929CD6B1AF0041E82FEEB4945A3
                                                                                                                                                                                SHA-256:E164855CF50954B1DB75A4E7B26C91A4C702D0BFF67169E97F3F850B70B2F0FD
                                                                                                                                                                                SHA-512:F83E51B836E8D6DE9D987C564198B9EB3A7808F07068596026A88DC177F602660014840EF02A612F28EE8656EA2E310E436F85213F4446832E35CB3D55A27FD7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-DIP8U.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2455
                                                                                                                                                                                Entropy (8bit):4.801955747824934
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOhZ+Nn/GbibsfAojspobLpRN9DIqrMx:ApHM+/WfAojspoPpRTIqO
                                                                                                                                                                                MD5:8AA824E7A317631798B2AC260F01DA51
                                                                                                                                                                                SHA1:7767B02B382D7923AD53A893139C7F4E4FBCCB96
                                                                                                                                                                                SHA-256:AE40FA98A38A4712BF3D702788FA25F2320D5F94D558CA1788F4C08A060F381B
                                                                                                                                                                                SHA-512:90A84D159026746969AD5259170EE02F5FBBDC95A270734151270DE8F4B11AB4B2D6734E15F3A775444597DA938ACB7B688905954D77DA12E7FA9071958E768A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-ERDK1.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2448
                                                                                                                                                                                Entropy (8bit):4.802566723178274
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:Ap+OeZ+Nn/GbibvdTAoYTpoLLpRN9DIqrMx:Ap+R+/BBAoYTpo/pRTIqO
                                                                                                                                                                                MD5:D105186A9CBE53E2066F626F74BD3D40
                                                                                                                                                                                SHA1:87FC9988608C3F957E8A11235AB1A92ACC116AD5
                                                                                                                                                                                SHA-256:5710B45A359AE70D86C1A83F402282F33EADD60DD3E376CD1B19A46223318447
                                                                                                                                                                                SHA-512:B8ACAA948FAF0B08D2EAF55BCC50A273E0D56180F7A55E2A805C9113270936BF3790A30E73DDEFDABC7DADBF22DB0F146F7CB068EB198BBB7BAFF2499EB60224
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-JMF7O.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2435
                                                                                                                                                                                Entropy (8bit):4.800004037117997
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOSZ+Nn/GbibsfAoYTpobLpRN9DIqrMx:ApH/+/WfAoYTpoPpRTIqO
                                                                                                                                                                                MD5:B6A092DCF5932F7C4031BBAE214E5377
                                                                                                                                                                                SHA1:E4F8530FA9FB9B12166D3F206C34826462751C56
                                                                                                                                                                                SHA-256:D0301D852AEF2DE12CDEDD6ABD1E396EA479D39FEA897B09AFBE2767EDE86030
                                                                                                                                                                                SHA-512:EBDC0CE7AC5949748C7936788482C8062A0524656C8A0133FBD5AE4E60382271768A0A0F486E717BC44F4BF6CF9FF95FB53F76E8FEA4727671F1322F992C8BE8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>true</DoubleDocDetectEnabled>.. <DoubleDocThreshold></DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-SMO45.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2435
                                                                                                                                                                                Entropy (8bit):4.802539388842096
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOhZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHM+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:640F7ABB77347ED65E1F1DC5178A39E6
                                                                                                                                                                                SHA1:79B78C41A1AB54276871A2779FEB0212673353B7
                                                                                                                                                                                SHA-256:96D9D9D4E084E3A613849363639AA2FFFE960F43919A9C582020F1A572DC3948
                                                                                                                                                                                SHA-512:D90AB6EDE3D640CDA7FCC6310737D39D4D372E81786F4B5A325D18D07686DC51C621AF1E1D18EA52CD551524C51E13E4E819706FBB76A9AD9527A1557F8D97BB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-T3PRS.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2449
                                                                                                                                                                                Entropy (8bit):4.802855095023468
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOeZ+Nn/GbibvdTAoYTpoLLpRN9DIqrMx:ApHR+/BBAoYTpo/pRTIqO
                                                                                                                                                                                MD5:6A5A5F89B38F524FE3413FF11AC15AA0
                                                                                                                                                                                SHA1:42B43B77B233F2651E41B8DDD29B832EE1E0E994
                                                                                                                                                                                SHA-256:34F69AADAEBEF3C1956F50E1377E64A2843FE070B55E280D5CDA57CC39BAD76D
                                                                                                                                                                                SHA-512:A304002DAF889C51522F0940A39E04B2AB16536E8FFD14D4BBC73A096F71ADC80CE8AD3CA257BB378AE1BC698D7FF436091FF27A34DDA5463C796D2ABA3D829C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-U09GS.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2434
                                                                                                                                                                                Entropy (8bit):4.802397601214804
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:Ap+OhZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:Ap+M+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:82A506D9EB608EB4AC1E2C2CA00E6DB5
                                                                                                                                                                                SHA1:54AF5F7F8FD9E5290F0A8AA62317D434A8CB7F65
                                                                                                                                                                                SHA-256:4AAB4377DCB51C1F367704D2DC8A510DE7256AB1D9D283918E510BA016B34FA3
                                                                                                                                                                                SHA-512:252199635D3A1D00B4900E44B6A8B2A714A83F9C21A039CE51F9B767EAD3DBF22870C1D859B109A30EF489B92F19726881A661562179213A4695568FEC7F83E9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-U6N0L.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2456
                                                                                                                                                                                Entropy (8bit):4.8042428201422025
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ApHOhZ+Nn/GbibvCAoYTpobLpRN9DIqrMx:ApHM+/BCAoYTpoPpRTIqO
                                                                                                                                                                                MD5:33953AFFF7BC693F3A43A4FFB8C8F246
                                                                                                                                                                                SHA1:B9124EFE18E420340DA9E22031CF8C43694732C3
                                                                                                                                                                                SHA-256:D9E02876CF4A30A19DD2C400459D26F99B7D5879EAE89441D71D7B456321703D
                                                                                                                                                                                SHA-512:2E234FB45AD94F0AA0001750E76663248ED7DB6CB7160456CBD45E239A53593AA8A758238F195C9479C80BA575D0D422F23714819CFA989F3189791E1F831D0C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-UVL0P.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2433
                                                                                                                                                                                Entropy (8bit):4.802174027638217
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:Ap+OeZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:Ap+R+/WfAoYTpo/pRTIqO
                                                                                                                                                                                MD5:3D487B9E931A89A3CE3D2C2A7B988F6B
                                                                                                                                                                                SHA1:82316073F4C52EF1CAF3C52B1F6DAD0CF15807A4
                                                                                                                                                                                SHA-256:9A7A50123C14825FEE2D1A9603626A84B19ADAB889741CA9775EF8E9829620B7
                                                                                                                                                                                SHA-512:FE1FEFF24FB20E4AF5447D481BA74AE4CA19DDF18F5D557CA33258F5EB6CBD95923CC9DE63E352711A3BA37F72543275CE6B83453945B79C3DF36E4AEB160A8B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\scmindex.html (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11222
                                                                                                                                                                                Entropy (8bit):4.906615747950895
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:xWv/rVEWWgcGLjqayPyeTb8Ap4gqQ+M8ddspnW:xlnaS7EAR+M8PEnW
                                                                                                                                                                                MD5:4404937977A219AE6C282C86BC2E3588
                                                                                                                                                                                SHA1:BBF9498F2E2DB853B6FAB2EC8C0D2DE9DC0233E0
                                                                                                                                                                                SHA-256:92144E3BD70A3DB922443EDFAAF040083804569FCE67E5A62604BFCEF98EC6BF
                                                                                                                                                                                SHA-512:C68B375DBB23BBC5B19C9F0BA439F6F50745F61E3B279ED208D9B8BF58D034DC7DC65A464D7312F66233AB10993684D038FD584C480C4814B942BD3A8B61633F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<!DOCTYPE html>..<html language="en">..<head>..<meta charset="utf-8">...<title>RDM - Scanner</title>...<meta name="description" content="Transform your Payments with RDM RDM Corporation is a provider of Remote Deposit Capture (RDC), integrated receivables and payment processing solutions designed to help clients simplify the way they do business.">.. <meta name="author" content="Geoff Culley - RDM Corporation">.... <link rel="stylesheet" href="css/smoothness/jquery-ui-1.10.4.custom.min.css">...<script src="js/jquery-1.11.1.min.js"></script>...<script src="js/jquery-ui-1.10.4.custom.min.js"></script>.... <script>....$(function() { $( "#tabs" ).tabs({active: 1}); });...</script>.... <style>.. .body{.....width: 100%;.. height:100%;...... padding:0;.. margin:0;.....font-family:helvetica,sans-serif;.....background-color:#f2f2f2;....}.... li a{.. outline:none;.. }.... #wrapper{.. min-height:100%;..

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\is-UGKNT.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):733349
                                                                                                                                                                                Entropy (8bit):6.506487301120614
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:RsMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0zyx9zk:yMcMoi3rPR37dzHRA6G7WbuSEmK50zy0
                                                                                                                                                                                MD5:9C0680C10EA44E4F9A2A461D4260E6D3
                                                                                                                                                                                SHA1:DEB400C82E04CC49DE0AB4B8816723D29ED5CF7C
                                                                                                                                                                                SHA-256:123D677281EB988B2B7BA053781B6AE71A88BC9EA71D4695E109AD81765CB0B0
                                                                                                                                                                                SHA-512:EA25EAB767CF4668F66CB5CE199BDACC24C1F569DB6F023DCBB5449796C664A994438149CE6319396B999F72928C8D04A6AA8B2E3EB601C67524F15A4F49EA31
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................h....................@.......................................@......@...............................&.......+...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc....+.......,..................@..P.....................r..............@..P........................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.dat

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:InnoSetup Log RDM Appweb, version 0x30, 8819 bytes, 820094\user, "C:\Program Files (x86)\RDM Corporation\RDM Appweb"
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):8819
                                                                                                                                                                                Entropy (8bit):5.023842952349881
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:zLdm64kQ5m73ihQP0ZBRPbRevyvz5v6ic44cVSQs0hnpDwrhL7Z9a77phKT8t8S:zBIQPKBReQ5IcVSQvnU7Ta77phKe
                                                                                                                                                                                MD5:3FAC6FE6ECF759BD52B50741CF9D5E38
                                                                                                                                                                                SHA1:3EE5976E5F0B93FC35404EDCBE9FCEEAEAC289C4
                                                                                                                                                                                SHA-256:A1C102CC9BD14781A04E22C725D8F266956D1591709E4AD53467186D882F10AB
                                                                                                                                                                                SHA-512:780D7595F4C3BCB5ACA98A79CE41E4F4778C2F9CB876EF1DD17089EDC7917D441BEDD0B6BB4F73E3A4A52E120D4048EE0B7FEABE0F2129E063A6BC72FBBAE90C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Inno Setup Uninstall Log (b)....................................RDM Appweb......................................................................................................................RDM Appweb......................................................................................................................0...4...s"..%...............................................................................................................V..8........j.........T....820094.user1C:\Program Files (x86)\RDM Corporation\RDM Appweb...........#...s.. ............IFPS.............................................................................................................BOOLEAN.......................................................................................!MAIN....-1.............ADDPATH....-1 @8 @8..ISADMINLOGGEDON.......ISPOWERUSERLOGGEDON.......REGVALUEEXISTS..........REGQUERYSTRINGVALUE...........POS.........SETARRAYLENGTH.......COPY..........LENGTH........ISUNINSTALLER.....

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):733349
                                                                                                                                                                                Entropy (8bit):6.506487301120614
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:RsMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0zyx9zk:yMcMoi3rPR37dzHRA6G7WbuSEmK50zy0
                                                                                                                                                                                MD5:9C0680C10EA44E4F9A2A461D4260E6D3
                                                                                                                                                                                SHA1:DEB400C82E04CC49DE0AB4B8816723D29ED5CF7C
                                                                                                                                                                                SHA-256:123D677281EB988B2B7BA053781B6AE71A88BC9EA71D4695E109AD81765CB0B0
                                                                                                                                                                                SHA-512:EA25EAB767CF4668F66CB5CE199BDACC24C1F569DB6F023DCBB5449796C664A994438149CE6319396B999F72928C8D04A6AA8B2E3EB601C67524F15A4F49EA31
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................h....................@.......................................@......@...............................&.......+...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc....+.......,..................@..P.....................r..............@..P........................................................................................................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\is-292HM.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3131328
                                                                                                                                                                                Entropy (8bit):6.377177227761894
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:FEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF33383:J92bz2Eb6pd7B6bAGx7b333Y
                                                                                                                                                                                MD5:895924B96B8B7BC52781E921E0AB93B8
                                                                                                                                                                                SHA1:3574ED0904E9386F602E181592F3DCF951A4F36B
                                                                                                                                                                                SHA-256:8CAC9F851CF868D6764058F43CC63DADF6CF7964D12E45367156AC4F7626AD55
                                                                                                                                                                                SHA-512:C8FF044AACB9E21BD211F0946FCF78222543CFBA0266D026831D35ADB21109A84132485A91BA9E0333EC2856F82D22EDDE1BE7251D2EA5FEA535709E85CD43CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....A.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.dat

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:InnoSetup Log RDM Download Agent 4.0.4.0 {2A5E899A-C6CB-4617-A67C-756CA37B36B0}, version 0x418, 45649 bytes, 820094\37\user\, C:\Program Files (x86)\RDM Corporation\376
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):45649
                                                                                                                                                                                Entropy (8bit):4.003558419483737
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:Nr37VBmowNjxHvrxncBou08GN6CkNOMnlfGibvGyyikB20A7AFbmy+:R77mowNjxHvrxncBr08GN6CkNOMnlf5H
                                                                                                                                                                                MD5:781790689B6AFEB03398D79057ABE311
                                                                                                                                                                                SHA1:C88C64D2E659E81ACE2C7C33BEBABD154EB1F63E
                                                                                                                                                                                SHA-256:992946BF1AF44ED58E380D8023FCD978A4BD936EE364F4C2096A5B5EAA6913BF
                                                                                                                                                                                SHA-512:38CF86D2249C67691D86C8DEA3754785BDA107C2129EBF97E62358E3D5ED6D28302F7BAB918ECD146CA96F0A3CAA12B43FF85A40B5E197F8D51C4A1A49AE2B30
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Inno Setup Uninstall Log (b)....................................{2A5E899A-C6CB-4617-A67C-756CA37B36B0}..........................................................................................RDM Download Agent 4.0.4.0..........................................................................................................Y...Q...................................................................................................................^.-..........<_x...............8.2.0.0.9.4......e.n.g.i.n.e.e.r......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.R.D.M. .C.o.r.p.o.r.a.t.i.o.n................#...... ......t.......IFPS....,...d....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TNEWSTATICTEXT....TNEWSTATICTEXT.......

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3131328
                                                                                                                                                                                Entropy (8bit):6.377177227761894
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:FEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF33383:J92bz2Eb6pd7B6bAGx7b333Y
                                                                                                                                                                                MD5:895924B96B8B7BC52781E921E0AB93B8
                                                                                                                                                                                SHA1:3574ED0904E9386F602E181592F3DCF951A4F36B
                                                                                                                                                                                SHA-256:8CAC9F851CF868D6764058F43CC63DADF6CF7964D12E45367156AC4F7626AD55
                                                                                                                                                                                SHA-512:C8FF044AACB9E21BD211F0946FCF78222543CFBA0266D026831D35ADB21109A84132485A91BA9E0333EC2856F82D22EDDE1BE7251D2EA5FEA535709E85CD43CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....A.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.msg

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):24097
                                                                                                                                                                                Entropy (8bit):3.2749730459064845
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:b1EjNSCkf3SCqsTr6CCPanAG1tznL7VF+Iqfc51U5YQDztXfbKJG/Bfvo:b1EK6CHr6fSX+7Q1U5YQDztB/B3o
                                                                                                                                                                                MD5:313D0CC5D1A64D2565E35937991775A6
                                                                                                                                                                                SHA1:B8ACB11878C485865C9E4679248E53B83A8F3AD4
                                                                                                                                                                                SHA-256:5ED0233C0922E9F20307315E24B4F33C3D56AB9F42B2F75AE91E7A27FD313B66
                                                                                                                                                                                SHA-512:7C2DB4A3A4A8DF09F8119A7BA4CA9EBFE562F0A34D431928344E21A5853931EEFBFD910DC4026C6788AC22423BBB125F2B700326D8A1D82B134E2B486C3D0684
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:Inno Setup Messages (6.0.0) (u)......................................]..+..... .C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

                                                                                                                                                                                C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):103
                                                                                                                                                                                Entropy (8bit):4.493835447768373
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
                                                                                                                                                                                MD5:9556062A739F56D168C1581A11192A17
                                                                                                                                                                                SHA1:81EE37E3990A004B9F50CBE99D512A5A5247AA90
                                                                                                                                                                                SHA-256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
                                                                                                                                                                                SHA-512:57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                C:\Program Files\Mozilla Firefox\defaults\pref\is-0SBL0.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                Entropy (8bit):4.4385634049235
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
                                                                                                                                                                                MD5:30573ACFC9586271A3F800A10C284479
                                                                                                                                                                                SHA1:9CC1A1329258379698A04C33DC5D62E9CE8E06FD
                                                                                                                                                                                SHA-256:30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
                                                                                                                                                                                SHA-512:4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

                                                                                                                                                                                C:\Program Files\Mozilla Firefox\defaults\pref\is-86JQL.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):103
                                                                                                                                                                                Entropy (8bit):4.493835447768373
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
                                                                                                                                                                                MD5:9556062A739F56D168C1581A11192A17
                                                                                                                                                                                SHA1:81EE37E3990A004B9F50CBE99D512A5A5247AA90
                                                                                                                                                                                SHA-256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
                                                                                                                                                                                SHA-512:57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                Entropy (8bit):4.4385634049235
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
                                                                                                                                                                                MD5:30573ACFC9586271A3F800A10C284479
                                                                                                                                                                                SHA1:9CC1A1329258379698A04C33DC5D62E9CE8E06FD
                                                                                                                                                                                SHA-256:30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
                                                                                                                                                                                SHA-512:4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

                                                                                                                                                                                C:\Program Files\Mozilla Firefox\is-GU0VV.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):56
                                                                                                                                                                                Entropy (8bit):4.503434386188784
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
                                                                                                                                                                                MD5:E40A3D559E4B85251943E071CD036D90
                                                                                                                                                                                SHA1:10FC58DF075108C912589F7954244A807776A0FB
                                                                                                                                                                                SHA-256:E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
                                                                                                                                                                                SHA-512:07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview://..lockPref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                C:\Program Files\Mozilla Firefox\umbrella.cfg (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):56
                                                                                                                                                                                Entropy (8bit):4.503434386188784
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
                                                                                                                                                                                MD5:E40A3D559E4B85251943E071CD036D90
                                                                                                                                                                                SHA1:10FC58DF075108C912589F7954244A807776A0FB
                                                                                                                                                                                SHA-256:E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
                                                                                                                                                                                SHA-512:07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview://..lockPref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                C:\ProgramData\is-H4BBM.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):37
                                                                                                                                                                                Entropy (8bit):4.134468568039293
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:sFz5YHXdXLVdKIxbn:sFtqXdeabn
                                                                                                                                                                                MD5:5D360F55BB6F14F8C22AE918F14C93C1
                                                                                                                                                                                SHA1:C94497156A4D526879297EA60055932E4B4CA068
                                                                                                                                                                                SHA-256:E91EB39328DB1C57932A1121750653E10F149BB200379FD53A0BCA44738A5843
                                                                                                                                                                                SHA-512:1A96A46817204DE317BBF0A53FBB13CA7710AA54A50BD73C508450E51E6BF7904BD3EA7FEC58C9771C03E007C2E680D81B59D2231A7756774A6CEC2601879A5C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<PROFILE VERSION="2.0.2.0"></PROFILE>

                                                                                                                                                                                C:\ProgramData\is-V6DI2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):109
                                                                                                                                                                                Entropy (8bit):4.915620880471987
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:sFz5YHXdXLVd1km9sOxJgk+dthkd22fYHRNKbZxbn:sFtqXdyDMHACd22fqRYbTbn
                                                                                                                                                                                MD5:5353EA0F06B3F8D93C980C5D3439F5F8
                                                                                                                                                                                SHA1:DA54B24834E62E65B2CDA77FBE99F83072884593
                                                                                                                                                                                SHA-256:19E37D253BDC5D6C80B2FC165F185E26836A2200558D005454E7AF9B6F97D603
                                                                                                                                                                                SHA-512:3299D4052B8B6F21DDB799BF0F7555182A2C15058459B01A93EBF0A29F451F1092990B7CBE0DDBDD408A4C039AC2DFF134366B4EFD75ECD820CD96837869913E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<PROFILE VERSION="2.0.2.0"><PACKAGE GUID="47A254C1-76A4-4D9D-9E6B-D56B07E276B8" VERSION="4.0.4.0"/></PROFILE>

                                                                                                                                                                                C:\ProgramData\{52B90368-A12C-4248-94E0-0AE200F6C536} (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):109
                                                                                                                                                                                Entropy (8bit):4.915620880471987
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:sFz5YHXdXLVd1km9sOxJgk+dthkd22fYHRNKbZxbn:sFtqXdyDMHACd22fqRYbTbn
                                                                                                                                                                                MD5:5353EA0F06B3F8D93C980C5D3439F5F8
                                                                                                                                                                                SHA1:DA54B24834E62E65B2CDA77FBE99F83072884593
                                                                                                                                                                                SHA-256:19E37D253BDC5D6C80B2FC165F185E26836A2200558D005454E7AF9B6F97D603
                                                                                                                                                                                SHA-512:3299D4052B8B6F21DDB799BF0F7555182A2C15058459B01A93EBF0A29F451F1092990B7CBE0DDBDD408A4C039AC2DFF134366B4EFD75ECD820CD96837869913E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:<PROFILE VERSION="2.0.2.0"><PACKAGE GUID="47A254C1-76A4-4D9D-9E6B-D56B07E276B8" VERSION="4.0.4.0"/></PROFILE>

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\HFI43FC.tmp.html

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\1be23190e4cbe7570e736d15\Setup.exe
                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16118
                                                                                                                                                                                Entropy (8bit):3.6434775915277604
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                                                                                MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                                                                                SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                                                                                SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                                                                                SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\HFI4D17.tmp.html

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\1be23190e4cbe7570e736d15\Setup.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7210
                                                                                                                                                                                Entropy (8bit):3.6349409422902705
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:yruOKZ0zMn35LZBzi1vCpa6C6v5tv76V6nuuaKl0zvG:zG+/SvMvDvwuaOYu
                                                                                                                                                                                MD5:CF44B2669635438B416BCC39CEA5044F
                                                                                                                                                                                SHA1:AD4F064BAE7E102A2BE8B6242ABD461E9360D8E0
                                                                                                                                                                                SHA-256:15081731ECC9994377AC9541E58B4BECF17E390C93DE54F4AB62F802D4406237
                                                                                                                                                                                SHA-512:0E2DA4B57119B107F6CB30257E810374885093089CA2C3EBCA3AED85E1A476DC8366954DEB9B927776C7AF49668FA560EADA348FA9EB795350E4E2682BA53DFF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.1.0./.3.1./.2.0.2.4.,. .1.4.:.3.5.:.2.8.].<./.s.p.a.n.>.c.a.l.l.i.n.g. .P.e.r.f.o.r.m.A.c.t.i.o.n. .o.n. .a.n. .i.n.s.t.a.l.l.i.n.g. .p.e.r.f.o.r.m.e.r.<.B.R.>.<./.s.p.a.n.>.....<.s.p.a.n. .c.l.a.s.s.=.".a.c.t.".>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.H.d.r.".>.<.a. .h.r.e.f.=.".#.". .o.n.c.l.i.c.k.=.".t.o.g.g.l.e.S.e.c.t.i.o.n.(.).;. .e.v.e.n.t...r.e.t.u.r.n.V.a.l.u.e.=.f.a.l.s.e.;.".>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.1.0./.3.1./.2.0.2.4.,. .1.4.:.3.5.:.2.8.]. .<./.s.p.a.n.>.A.c.t.i.o.n.:. .P.e.r.f.o.r.m.i.n.g. .a.c.t.i.o.n.s. .o.n. .a.l.l. .I.t.e.m.s.<./.s.p.a.n.>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.2.".>.......<.B.R.>.<./.s.p.a.n.>.<./.a.>.<./.d.i.v.>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.".>.....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.1.0./.3.1./.2.0.2.4.,. .1.4.:.3.5.:.2.8.].<./.s.p.a.n.>.W.a.i.t. .f.o.r. .I.t.e.m. .(.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20241031_143528385-MSI_vc_red.msi.txt

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):285744
                                                                                                                                                                                Entropy (8bit):3.820498023117241
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:arjSqUuz999kkkkkkkkkkkkkkkUGJvVwcDg1GnN09B46kX:ejZq
                                                                                                                                                                                MD5:F5E30BF53C0C793E63459ABA90D794B5
                                                                                                                                                                                SHA1:B2C87A6CB62721E81F2CA139CCC5AFB547A40E3F
                                                                                                                                                                                SHA-256:EA543C4379B730F331E52F0AF1831D564D655348AF5D8817D01CA78E8E75CCB0
                                                                                                                                                                                SHA-512:9F9B75D17A38352FC849043D9B9435B7C2F48FAF153D33568658828F72229D4C835BC0024E5E46FCF6C506639CFE5B6D4449EEF87335C11C987C80B985574B51
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .3.1./.1.0./.2.0.2.4. . .1.4.:.3.5.:.2.9. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .c.:.\.1.b.e.2.3.1.9.0.e.4.c.b.e.7.5.7.0.e.7.3.6.d.1.5.\.S.e.t.u.p...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.D.0.:.4.C.). .[.1.4.:.3.5.:.2.9.:.5.8.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.D.0.:.4.C.). .[.1.4.:.3.5.:.2.9.:.5.8.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.D.0.:.4.C.). .[.1.4.:.3.5.:.2.9.:.5.8.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .c.:.\.1.b.e.2.3.1.9.0.e.4.c.b.e.7.5.7.0.e.7.3.6.d.1.5.\.v.c._.r.e.d...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.D.0.:.4.C.). .[.1.4.:.3.5.:.2.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20241031_143528385.html

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\1be23190e4cbe7570e736d15\Setup.exe
                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (358), with CRLF line terminators
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):75032
                                                                                                                                                                                Entropy (8bit):3.691514145225575
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:fdsOTLyUFJFEWUxFzv9vNgEQTa6AUwLPL0h5NfbvG2Nf0QIcrw64:fdsWyUr+WUxpv9RQWqW
                                                                                                                                                                                MD5:10593ADE25F5D8815EFFFBBE99D72B86
                                                                                                                                                                                SHA1:522C2A7B5ADF18C9E0401B4DEE72680C3BFCEEBC
                                                                                                                                                                                SHA-256:380A015ECEDE5AC2F9BA660D85C8E610F366A24D1302E88056A3A6788AA4664D
                                                                                                                                                                                SHA-512:B53259C931A89C26C5836EB62683D3DE9ABC1B6C3DAAEE4E06D7B4848A25FBA75505D2F702F82F40E1224EE14388C0E5931EB3DC034D57FF19315EF11EAEBDAA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Setup_20241031_143526119.html

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\1be23190e4cbe7570e736d15\Setup.exe
                                                                                                                                                                                File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (324), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):29598
                                                                                                                                                                                Entropy (8bit):3.7173074261422987
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:fdsOT01KcBUFJFEWUxFzvHdvVvoNvnxCKVG:fdsOTLyUFJFEWUxFzv9vNg4
                                                                                                                                                                                MD5:8C55EED9C5F7870D024C55551162BC58
                                                                                                                                                                                SHA1:58AC4FC4FC7FEE16EFB1F82F854D757C20F20F6A
                                                                                                                                                                                SHA-256:933E104544D66CDDDFF5E78CCC20ABBE7A79CD38D4053AB39A6B85A6E75340F1
                                                                                                                                                                                SHA-512:D40538486AAABE2FA46A3F1FE04CB1E000835B97C7F84FC69B78F85C573688E34B66FAE9DD4DEBA7ABD5E68535549C408680B8E49730554E787240278052512B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-6HH6B.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                Entropy (8bit):4.720366600008286
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):729280
                                                                                                                                                                                Entropy (8bit):6.514405609878223
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:LsMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0zyx9zW:IMcMoi3rPR37dzHRA6G7WbuSEmK50zym
                                                                                                                                                                                MD5:3E828ACD7AFDC653C0E0CA4F00A876C6
                                                                                                                                                                                SHA1:D21A0CD0F9A39279C2010A952E1249F021C23B4E
                                                                                                                                                                                SHA-256:08648EF949DF303A79FBA0EC8168CB1829EBBF5BFADFB199BC21EB6ECEBC93AE
                                                                                                                                                                                SHA-512:1FD64C0A1195515E1C4756109C5559A1BD5DB3AE6CCD2367CBC00E185E45CAE79A99EA4AE7D84FA3BD42E9C2710079786E99FCE4D462EB0C839C8DB69488357B
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................h....................@.......................................@......@...............................&.......+...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc....+.......,..................@..P.....................r..............@..P........................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6482264
                                                                                                                                                                                Entropy (8bit):7.998880076329747
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:196608:8Q1ATfurodNWgauwGyktkN70QBzQHpnJnPVNLyLhXv:8kAz4wjVkN70QaHpnJN5ef
                                                                                                                                                                                MD5:DBC54A8343ACC3271098DD7F2E5B7345
                                                                                                                                                                                SHA1:42E9094219FD430D375920E97ED8932A7E5D504F
                                                                                                                                                                                SHA-256:959572470115C28195F4D9FBD84627F610DB4DABA7AC2DD3091D6F4A899EF46E
                                                                                                                                                                                SHA-512:CB4FFAD566A1F7D0705FB0C0E6B8CF22513A1019A224F61200C277CB4F267EDD048AC43BD57B183FAC8678663CCA95C663D07447658112386DD069CABFCC5B9E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\....................@..........................p........c...@......@..............................|.... ...J............b.............................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....J... ...L..................@..P.............P......................@..P........................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                Entropy (8bit):4.720366600008286
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-8LMSL.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):5073240
                                                                                                                                                                                Entropy (8bit):7.998813387067771
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:98304:RuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0z:I7wq1W6HqULS8djZDTaNNeCKVP5ORsg0
                                                                                                                                                                                MD5:B88228D5FEF4B6DC019D69D4471F23EC
                                                                                                                                                                                SHA1:372D9C1670343D3FB252209BA210D4DC4D67D358
                                                                                                                                                                                SHA-256:8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
                                                                                                                                                                                SHA-512:CDD218D211A687DDE519719553748F3FB36D4AC618670986A6DADB4C45B34A9C6262BA7BAB243A242F91D867B041721F22330170A74D4D0B2C354AEC999DBFF8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................hzM.......... ...................................................RM.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............L.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-BEQKL.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6585704
                                                                                                                                                                                Entropy (8bit):7.998699715615937
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:196608:nWs1RZwZA1n0tJ/uNDAKyLogRkDGzamPxT2XxUp8z2/:WMZwZAp0fmdAKyLogI9AI/y
                                                                                                                                                                                MD5:8DFECDDDB51D01D40B8FC278AE3C555C
                                                                                                                                                                                SHA1:FF0557847CB3A78CFDA37A53B1A15A33D0199388
                                                                                                                                                                                SHA-256:6C0E7F45649D8594AB3260B2498C292D3EE6F3E2346735A4AEB5BBEEF2C7CAA6
                                                                                                                                                                                SHA-512:33FADF253F9CEECE379EFF30ABFB0F3B81E815F135A5854BD23044B3C61111C515B29F9D0BD645004ECF31DD502D565F1AC36F4BF2AC45C2DDC51EEABE54313B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\....................@..........................p......^.e...@......@..............................|.... ...J...........`d.............................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....J... ...L..................@..P.............P......................@..P........................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\is-OBV31.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6482264
                                                                                                                                                                                Entropy (8bit):7.998880076329747
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:196608:8Q1ATfurodNWgauwGyktkN70QBzQHpnJnPVNLyLhXv:8kAz4wjVkN70QaHpnJN5ef
                                                                                                                                                                                MD5:DBC54A8343ACC3271098DD7F2E5B7345
                                                                                                                                                                                SHA1:42E9094219FD430D375920E97ED8932A7E5D504F
                                                                                                                                                                                SHA-256:959572470115C28195F4D9FBD84627F610DB4DABA7AC2DD3091D6F4A899EF46E
                                                                                                                                                                                SHA-512:CB4FFAD566A1F7D0705FB0C0E6B8CF22513A1019A224F61200C277CB4F267EDD048AC43BD57B183FAC8678663CCA95C663D07447658112386DD069CABFCC5B9E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\....................@..........................p........c...@......@..............................|.... ...J............b.............................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....J... ...L..................@..P.............P......................@..P........................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):14744
                                                                                                                                                                                Entropy (8bit):3.466889176686958
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:KH+dhZUsCisVAYUeazVksWZE0FEsj5rbrc8VkDE9Yamb777LN09t8toilo0odx0a:o+rZUsCis2YUeazVksWZE0FEsj5rbrcO
                                                                                                                                                                                MD5:3E245B689717E54921C503B0CA684F13
                                                                                                                                                                                SHA1:B273912BEB0D06AA68B3A196676739315038E0EE
                                                                                                                                                                                SHA-256:1A638214697DBAC1D7CE2780F3F9D8C4471230C564410E2C94AB8B34789EF218
                                                                                                                                                                                SHA-512:C06B1B98126B419C0D40A4DAD7BE7E6B67ACE872D818798BBF299D6B2D9B68A738450F3BAFA97E588F21B15826513E5357137087269A777405100BC3143A446B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..Image Name PID Session Name Session# Mem Usage..========================= ======== ================ =========== ============..System Idle Process 0 Services 0 8 K..System 4 Services 0 180 K..Registry 92 Services 0 79'240 K..smss.exe 328 Services 0 1'224 K..csrss.exe 412 Services 0 5'272 K..wininit.exe 488 Services 0 7'244 K..csrss.exe 496 Console 1 5'948 K..winlogon.exe 560 Console 1 16'684 K..services.exe 632 Services 0 12'484 K..lsass.exe 652 Services 0 19'980 K..svchost.exe 752 Services

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6585704
                                                                                                                                                                                Entropy (8bit):7.998699715615937
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:196608:nWs1RZwZA1n0tJ/uNDAKyLogRkDGzamPxT2XxUp8z2/:WMZwZAp0fmdAKyLogI9AI/y
                                                                                                                                                                                MD5:8DFECDDDB51D01D40B8FC278AE3C555C
                                                                                                                                                                                SHA1:FF0557847CB3A78CFDA37A53B1A15A33D0199388
                                                                                                                                                                                SHA-256:6C0E7F45649D8594AB3260B2498C292D3EE6F3E2346735A4AEB5BBEEF2C7CAA6
                                                                                                                                                                                SHA-512:33FADF253F9CEECE379EFF30ABFB0F3B81E815F135A5854BD23044B3C61111C515B29F9D0BD645004ECF31DD502D565F1AC36F4BF2AC45C2DDC51EEABE54313B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\....................@..........................p......^.e...@......@..............................|.... ...J...........`d.............................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....J... ...L..................@..P.............P......................@..P........................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):5073240
                                                                                                                                                                                Entropy (8bit):7.998813387067771
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:98304:RuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0z:I7wq1W6HqULS8djZDTaNNeCKVP5ORsg0
                                                                                                                                                                                MD5:B88228D5FEF4B6DC019D69D4471F23EC
                                                                                                                                                                                SHA1:372D9C1670343D3FB252209BA210D4DC4D67D358
                                                                                                                                                                                SHA-256:8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
                                                                                                                                                                                SHA-512:CDD218D211A687DDE519719553748F3FB36D4AC618670986A6DADB4C45B34A9C6262BA7BAB243A242F91D867B041721F22330170A74D4D0B2C354AEC999DBFF8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................hzM.......... ...................................................RM.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............L.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3131328
                                                                                                                                                                                Entropy (8bit):6.377181933518846
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:aEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF3338L:q92bz2Eb6pd7B6bAGx7b333U
                                                                                                                                                                                MD5:C2B12368174C2843B050C1000CD7A7F3
                                                                                                                                                                                SHA1:AED269194C487644257C41BDDCCE6488F33E73CA
                                                                                                                                                                                SHA-256:7F4B3E922601C8468494EE42E6D0A999A17AA5895547EEBC9DF099176FD87812
                                                                                                                                                                                SHA-512:4363ECE21C56BD2237C8A0C2354368C03FA6170E146A3C1893D069DABA61DA4BA56376981F02E8FF2B700A51D3DA7B1C68B9321908A388669B4D3BACCDF6FB24
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0......./...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\AddCert.bat (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):239
                                                                                                                                                                                Entropy (8bit):5.244078670555102
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:rFHGxQ61kH7HE9bwe9hc1axKsyyL4eJ/nleB/H7HE9bkgjqY1axKs5v:r026ebH279hc14KsyyL/J/nAB/bH271e
                                                                                                                                                                                MD5:2F75CB7D681782F34E407A53FB42DF05
                                                                                                                                                                                SHA1:4371FB4F570BBCE02FFCF374D7F093B583E653B0
                                                                                                                                                                                SHA-256:203862ED6BA60B1BBB22C5777ED47E69FE75EF51F5C497B3D832BBF4DD736780
                                                                                                                                                                                SHA-512:DFC70F8C5322385B67C6C19B4F9D2D21BD024E3C6CE62384CC283DDA0D03A13DB691229D76B302FAD04D518928F71175ADCFFCFD4FED0B2A93FFB417BD90B1B8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:FOR /F "tokens=*" %%A IN ('dir /B "%APPDATA%\Mozilla\Firefox\Profiles\*.default*"') DO set FIREFOX_PROFILE_DIR=%%A..%2\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "%APPDATA%\Mozilla\Firefox\Profiles\%FIREFOX_PROFILE_DIR%\." -i %1..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\RDM.ico (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):99678
                                                                                                                                                                                Entropy (8bit):2.399880160860077
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:ckeXhftI9DRRRQwXF6jI2PmdFUMUaaS8FPm0AjaP:ZexftsDRRRPSP
                                                                                                                                                                                MD5:C6B1F4998CA0242B1EB448C9694EFF20
                                                                                                                                                                                SHA1:D002E4878B16AFD33885553F3507BA2BC23E2179
                                                                                                                                                                                SHA-256:15C5C4D9FC4E4FCD10D130A558D4F89931340B40EB6FAECB0BCE1FB5CCCC1CAB
                                                                                                                                                                                SHA-512:902117AA14D95A3493D4DB341CE1DCBCF07D8ADA9DF8E4B29100C5FC7D8E732245D9512AE378C9BF2EAA2AEA9B371F089D0BCDD66B71B1EEF84D931874E8528A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:............ .h...V... .... .........00.... ..%..f...@@.... .(B...;........ .(...6}..(....... ..... .....@...................................................................................................................................................................................................................................................................................................................................................uW....Y....wY..y[..uW..uW..wZ....n....uW.....}`........Y..f..uW....Y...x.uW....p.uW....H...=.uW....I.uW.....uW....O...Y..f..uW..}a..x[...f.....uW.........vX..wY..uW...._..k..}a....R..f..uW....C....y\..{^..uW.........vX..x[..uW...i......}a...i...f..uW...n$...\.vX...i..uW...u...m".vY....[.uW..uW........M.uW...f...w1..w1..w1...N.....w1..w1...@........w1..z6.........w1...D...........................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):59664
                                                                                                                                                                                Entropy (8bit):5.552981290836808
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:/RQvLjWiALqLkHbp7m8GYT3WXs39i4zv:/Vz2Lk71m8Ge3WXs1
                                                                                                                                                                                MD5:5D077A0CDD077C014EEDB768FEB249BA
                                                                                                                                                                                SHA1:EA2C62D69A1F6B9D643FE16319EC7632C9533B3F
                                                                                                                                                                                SHA-256:8A830C48C4D78159DD80F4DAD81C0BEBBF9314710026B1A2EF0FFDDDCB24B83D
                                                                                                                                                                                SHA-512:71BF48DCB6916A810F63710968894B431357AA694AA169067F567CC82B8E4EE732F581AFB85B256E5C5A9D15A8B7B5746FA6A8B4127B273FEB5B0E03E91B607A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;.}h.}h.}hh.nh.}h.|h..}h...h.}h.{h.}h.}h..}hRich.}h................PE..L....B.5.....................l............................................... ..........................................................0W..................................................................@........................................text............................... ..`.data...............................@....rsrc...0W.......X..................@..@.0248...c,.5C....[.5P....[.5]......5i...b,.5u...........MSVCRT.dll.ADVAPI32.dll.KERNEL32.dll.CRYPT32.dll.CRYPTUI.dll.USER32.dll.........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):103936
                                                                                                                                                                                Entropy (8bit):6.464020030097691
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:est2WKOxRTftkVeSl8w5d3wgtRgc7k8w:GWKOzTlkVzl8w8yRDA8w
                                                                                                                                                                                MD5:0C6B43C9602F4D5AC9DCF907103447C4
                                                                                                                                                                                SHA1:7A77C7AE99D400243845CCE0E0931F029A73F79A
                                                                                                                                                                                SHA-256:5950722034C8505DAA9B359127FEB707F16C37D2F69E79D16EE6D9EC37690478
                                                                                                                                                                                SHA-512:B21B34A5886A3058CE26A6A5A6EAD3B1EBAE62354540492FB6508BE869E7D292B351C0913461B47C4CC0C6A73333AAD33CD9399BCB1F83C7DACFDB7F2EE1F7A9
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P..........................{......{......{.........6..{./....{......Rich...........................PE..L....A.O..........................................@.......................................@.................................Tq.......................................................................p..@...............h............................text...d........................... ..`.rdata..............................@..@.data................z..............@....reloc..D............|..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\firefox-windows-truststore.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):103
                                                                                                                                                                                Entropy (8bit):4.493835447768373
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
                                                                                                                                                                                MD5:9556062A739F56D168C1581A11192A17
                                                                                                                                                                                SHA1:81EE37E3990A004B9F50CBE99D512A5A5247AA90
                                                                                                                                                                                SHA-256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
                                                                                                                                                                                SHA-512:57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\freebl3.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):222208
                                                                                                                                                                                Entropy (8bit):6.697487951906348
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:ScTE2XtnPcWNo4eT4hs8LP71DRIUqqDL67PXGHrIrH:lTE2XtNrLP71Dyxqn6jI
                                                                                                                                                                                MD5:269BEB631B580C6D54DB45B5573B1DE5
                                                                                                                                                                                SHA1:64050C1159C2BCFC0E75DA407EF0098AD2DE17C8
                                                                                                                                                                                SHA-256:FFC7558A61A4E6546CF095BDEABEA19F05247A0DAA02DCA20EA3605E7FC62C77
                                                                                                                                                                                SHA-512:649CD40F3E02C2F2711F56AA21F39CCBDA9108143D4766A9728C9AD98F329D5F64F77090DF769C55B66AB48FB9AA4A380944EBE54F2C450F96CF76E5A6ADD31E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[x.5+.5+.5+..+.5+..+.5+..+.5+..+.5+.4+..5+..+.5+..+.5+..+.5+..+.5+Rich.5+................PE..L....A.O...........!.....\...J.......f.......p............................................@..........................U..O...,M..x...............................,...................................hL..@............p..x............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....F...`.......F..............@....rsrc................H..............@..@.reloc..x............L..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-10704.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):370176
                                                                                                                                                                                Entropy (8bit):6.863300763286356
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:eeP90QTcdMTWfpUwFygo5zUM38ME/Hs3nXHkUX:eA/TcWTWfpf0gmzY03nXHkUX
                                                                                                                                                                                MD5:D1243817A1B22B855DE0852CF5B53BF5
                                                                                                                                                                                SHA1:C64F4851A2FCFE8D1E4A5B5743498870B676755E
                                                                                                                                                                                SHA-256:93E99CFBA00348BE3A102DC9F41ACD39BBA91D7F4E0149A9EA6C53FCC50ADAEE
                                                                                                                                                                                SHA-512:59ABD87F8DA58F0F4D8D3919A84B2E4FA853AA0E76DBFEA3BC011E21267909ED7C3BB42A714F030773767329A8D3DA0810E789AB5A061BC0E4452159849C4CC2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??fs{^. {^. {^. r&. y^. .(. z^. .(. y^. .(. r^. {^. C^. .(. R^. .(. z^. .(. z^. .(. z^. Rich{^. ................PE..L....A.O...........!......................................................................@..........................6..P...L1..x...............................t,...................................0..@............................................text............................... ..`.rdata..07.......8..................@..@.data....T...@...R... ..............@....rsrc................r..............@..@.reloc.../.......0...v..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-3FD3E.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):103
                                                                                                                                                                                Entropy (8bit):4.493835447768373
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
                                                                                                                                                                                MD5:9556062A739F56D168C1581A11192A17
                                                                                                                                                                                SHA1:81EE37E3990A004B9F50CBE99D512A5A5247AA90
                                                                                                                                                                                SHA-256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
                                                                                                                                                                                SHA-512:57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-5F3F1.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):97792
                                                                                                                                                                                Entropy (8bit):6.240650542976671
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:xtTRGG7+CF7k9QTPHkis9rGDE9tJ7kdsolb5XpIKz1TpNs6IRcgAGEFDGSs1f8b6:xGG6CF7k9QbHkCE9tJ7kdsW5Xh5s6IRV
                                                                                                                                                                                MD5:A5C670EDF4411BF7F132F4280026137B
                                                                                                                                                                                SHA1:C0E3CBDDE7D3CEBF41A193EECA96A11CE2B6DA58
                                                                                                                                                                                SHA-256:ABA2732C7A016730E94E645DD04E8FAFCC173FC2E5E2AAC01A1C0C66EAD1983E
                                                                                                                                                                                SHA-512:ACFCDE89A968D81363AE1CD599A6A362B047AE207722FEA8541577AC609BC5FEFB2231ED946E13F0B4B3BCD56B947C13837C1B9E360D521EC7D580BEFCBB0F46
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.?...4.k.Y...7.k.Y...4.k.Y...;.k.6.j..k.Y.....k.Y..7.k.Y..7.k.Y...7.k.Rich6.k.........................PE..L....A.O...........!.........j...............0............................................@.........................Pj..v...\N.......................................................................M..@............0...............................text............................... ..`.rdata...S...0...T..................@..@.data...h............l..............@....rsrc................n..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-6HUSB.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                Entropy (8bit):4.4385634049235
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
                                                                                                                                                                                MD5:30573ACFC9586271A3F800A10C284479
                                                                                                                                                                                SHA1:9CC1A1329258379698A04C33DC5D62E9CE8E06FD
                                                                                                                                                                                SHA-256:30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
                                                                                                                                                                                SHA-512:4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-6MLIE.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):99678
                                                                                                                                                                                Entropy (8bit):2.399880160860077
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:ckeXhftI9DRRRQwXF6jI2PmdFUMUaaS8FPm0AjaP:ZexftsDRRRPSP
                                                                                                                                                                                MD5:C6B1F4998CA0242B1EB448C9694EFF20
                                                                                                                                                                                SHA1:D002E4878B16AFD33885553F3507BA2BC23E2179
                                                                                                                                                                                SHA-256:15C5C4D9FC4E4FCD10D130A558D4F89931340B40EB6FAECB0BCE1FB5CCCC1CAB
                                                                                                                                                                                SHA-512:902117AA14D95A3493D4DB341CE1DCBCF07D8ADA9DF8E4B29100C5FC7D8E732245D9512AE378C9BF2EAA2AEA9B371F089D0BCDD66B71B1EEF84D931874E8528A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:............ .h...V... .... .........00.... ..%..f...@@.... .(B...;........ .(...6}..(....... ..... .....@...................................................................................................................................................................................................................................................................................................................................................uW....Y....wY..y[..uW..uW..wZ....n....uW.....}`........Y..f..uW....Y...x.uW....p.uW....H...=.uW....I.uW.....uW....O...Y..f..uW..}a..x[...f.....uW.........vX..wY..uW...._..k..}a....R..f..uW....C....y\..{^..uW.........vX..x[..uW...i......}a...i...f..uW...n$...\.vX...i..uW...u...m".vY....[.uW..uW........M.uW...f...w1..w1..w1...N.....w1..w1...@........w1..z6.........w1...D...........................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-84CDJ.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):172544
                                                                                                                                                                                Entropy (8bit):6.496240878001019
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:KfHTwBGo4uYvGG3byHhQNP4IP/zsu9zvKwMNJ+Z/9tRpK:KsGTudG3GHhMz3SNY9R
                                                                                                                                                                                MD5:2AB31C9401870ADB4E9D88B5A6837ABF
                                                                                                                                                                                SHA1:4F0FDD699E63F614D79ED6E47EF61938117D3B7A
                                                                                                                                                                                SHA-256:22ECECE561510F77B100CFF8109E5ED492C34707B7B14E0774AAA9CA813DE4AD
                                                                                                                                                                                SHA-512:BC58C4DA15E902351F1F161E9D8C1EE4D10ACEB5EDA7DEF4B4454CADF4CD9F437118BA9D63F25F4F0A5694E9D34A4DEF33D40AD51EFB1CDEBB6F02A81C481871
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.e./.6./.6./.6.W.6./.6;a.6./.6.Y.6./.6.Y36./.6.Y.6./.6./.61/.6.Y26./.6.Y.6./.6.Y.6./.6.Y.6./.6Rich./.6................PE..L....A.O...........!.....*...x.......3.......@............................................@.................................<...................................|...................................x...@............@...............................text....(.......*.................. ..`.rdata...O...@...P..................@..@.data................~..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-9F7BH.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):190976
                                                                                                                                                                                Entropy (8bit):6.662915165682162
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:82ya/vPWqodwFYAjkiV6vnjBr/WPUShgk04YZEnhacoAX8+FeHbnGmgjZzpTBfRP:j7JoiVGj+hIWNmKFpTBJ8B
                                                                                                                                                                                MD5:717DBDF0E1F616EA8A038259E273C530
                                                                                                                                                                                SHA1:926CE8EC8F79B62202ED487C5FB0C3E1A18F5F70
                                                                                                                                                                                SHA-256:E3227EA4C39F5B44F685EEA13D9F6663945E46B12CABE5D29DAEF28B6EEF1A9B
                                                                                                                                                                                SHA-512:C09BF38AC93C350DFD0638BEEDD40FBCC9435A06B0013D214F57B181C1B4292E4B8A8310DB2DB48200BCFED872BC656EA92A207ACB6F7B344E3F134226C2AB3F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Af......................jq......jq=.....jq..............jq<.5...jq......jq......jq......Rich............................PE..L....A.O...........!.................".......0............................... ............@.........................p...j.......................................l......................................@............0...............................text............................... ..`.rdata......0......................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-BJ33M.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):14336
                                                                                                                                                                                Entropy (8bit):5.794541181301596
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:y39iNAtUyE7ioVwAFzuh+pOWo1v26wJMnnnLIQBIc3X7PVlD6QHS6CV+:mRUyZoVwAFzusie6wcZxrPVlpHS6c+
                                                                                                                                                                                MD5:1FAE68B740F18290B98B2F9E23313CC2
                                                                                                                                                                                SHA1:FA3545DC8DB38B3B27F1009E1D61DC2949DF3878
                                                                                                                                                                                SHA-256:751C2156DC00525668DD990D99F7F61C257951C3FAD01C0EE6359FCDFF69F933
                                                                                                                                                                                SHA-512:5386AAD83C76C625E2D64439B2B25BDA8D0F8B1EB9344B58306883B66675D1F1E98E3189C1BC29CD4B2C98A9D4A594761488AAE04D3748BBA5775A51425B11EC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;aS.0...]o^.3...]ok.0...]o\.7...2.......]oj.(...]o[.3...]oZ.3...]o].3...Rich2...................PE..L...oA.O...........!.................'.......0...............................p............@......................... 8.......3..P....P.......................`.......................................3..@............0...............................text...T........................... ..`.rdata.......0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-EOSML.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):222208
                                                                                                                                                                                Entropy (8bit):6.697487951906348
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:ScTE2XtnPcWNo4eT4hs8LP71DRIUqqDL67PXGHrIrH:lTE2XtNrLP71Dyxqn6jI
                                                                                                                                                                                MD5:269BEB631B580C6D54DB45B5573B1DE5
                                                                                                                                                                                SHA1:64050C1159C2BCFC0E75DA407EF0098AD2DE17C8
                                                                                                                                                                                SHA-256:FFC7558A61A4E6546CF095BDEABEA19F05247A0DAA02DCA20EA3605E7FC62C77
                                                                                                                                                                                SHA-512:649CD40F3E02C2F2711F56AA21F39CCBDA9108143D4766A9728C9AD98F329D5F64F77090DF769C55B66AB48FB9AA4A380944EBE54F2C450F96CF76E5A6ADD31E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[x.5+.5+.5+..+.5+..+.5+..+.5+..+.5+.4+..5+..+.5+..+.5+..+.5+..+.5+Rich.5+................PE..L....A.O...........!.....\...J.......f.......p............................................@..........................U..O...,M..x...............................,...................................hL..@............p..x............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....F...`.......F..............@....rsrc................H..............@..@.reloc..x............L..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-F4PON.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):423936
                                                                                                                                                                                Entropy (8bit):6.751461394308889
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:Cf41DoFqNI3Cm39XWYJkW07RlqHYOE1o2exosU8iZEJKvncrghAvLWDKnADA3/AF:DD76rrQ7ngYLo2MliPSghmLYk3/n
                                                                                                                                                                                MD5:B58848A28A1EFB85677E344DB1FD67E6
                                                                                                                                                                                SHA1:DAD48E2B2B3B936EFC15AC2C5F9099B7A1749976
                                                                                                                                                                                SHA-256:00DB98AB4D50E9B26ECD193BFAD6569E1DD395DB14246F8C233FEBBA93965F7A
                                                                                                                                                                                SHA-512:762B3BD7F1F1A5C3ACCDE8C36406B9BEADD4270C570EB95A05935C1F7731513938AE5E99950C648B1EACDD2A85F002319B78B7E4EA9577C72335A2FA54796B13
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,J..h+.Yh+.Yh+.YaS0Yj+.Y.]?Yk+.Yh+.Y&+.Y.]=Yd+.Y.].Yj+.Y.].Yf+.Y.]8Yi+.Y.]>Yi+.YRichh+.Y........................PE..L....A.O...........!......................................................................@..........................J.......C..<...............................@&..................................@B..@...............@............................text............................... ..`.rdata..............................@..@.data........`.......D..............@....reloc..Z(.......*...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-KE2L5.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PEM certificate
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1574
                                                                                                                                                                                Entropy (8bit):5.905699622879769
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:LrcG/hfz7O7nw+U7KjD0GGicvgUvih9DfJJ/GWb6YUOBceQEjY1CkRi8XJ:LrcGpfz7Snw+U7pGVUwBjGWb69OAR55
                                                                                                                                                                                MD5:CBF5A63CD967ED0D899F0C6D173C0BC6
                                                                                                                                                                                SHA1:FAF581B198C85AB2A57914E21F31BEC7609DC871
                                                                                                                                                                                SHA-256:CFD3AD2B4B7F86FFAD7056078F0490291BE71C5E0A0630F1E45DDE452BA5D81A
                                                                                                                                                                                SHA-512:E6F268F1581691EC4A4BD6B818CCABFA27BA7F07400F1732003C9E5B26865CAF8BAEC2B2EC4BE52BC0E6A4B51C661E851952E946D7BB5FEF764BB3124A315F8A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIEXTCCA0WgAwIBAgIJAK/4uEUcRr/QMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTQxMTEx.MTk0NjIzWhcNMjQxMTA4MTk0NjIzWjCBvDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEYMBYGA1UEAwwPUkRNIERldmljZSBSb290MSIwIAYJKoZIhvcNAQkB.FhNzdXBwb3J0QHJkbWNvcnAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB.CgKCAQEA501CdfXCdhUItY0JA5Y0MJ/TK/OH5UTVicWn+Knyi0GRGNDIh5N9dDeo.5X21bwACHZtHpWwMiL2PcH+hR0dw2Fmf6zDQBYKGeGy6wU7L0b7S8TbyivGW+Ks9.pS4LRQoKnzY6eF9bIxFhbaUBgbq/KJWxQIm4EOXMSejmgmk/Koh9+7P8jVb9kp1S.9AaVDz45j6b/zTkzzR4EP+GVVozWMZN4whDmE2EprxzcCkxr1GY0mEfHxCjLq2il.rF9Mz6Cr1vL19Gu1HxMbdAJSM1qIAxAG5Xbl9oAPzMUHwzdXpLzj9hfhkzqUFV

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-LUVU7.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):59664
                                                                                                                                                                                Entropy (8bit):5.552981290836808
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:/RQvLjWiALqLkHbp7m8GYT3WXs39i4zv:/Vz2Lk71m8Ge3WXs1
                                                                                                                                                                                MD5:5D077A0CDD077C014EEDB768FEB249BA
                                                                                                                                                                                SHA1:EA2C62D69A1F6B9D643FE16319EC7632C9533B3F
                                                                                                                                                                                SHA-256:8A830C48C4D78159DD80F4DAD81C0BEBBF9314710026B1A2EF0FFDDDCB24B83D
                                                                                                                                                                                SHA-512:71BF48DCB6916A810F63710968894B431357AA694AA169067F567CC82B8E4EE732F581AFB85B256E5C5A9D15A8B7B5746FA6A8B4127B273FEB5B0E03E91B607A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;.}h.}h.}hh.nh.}h.|h..}h...h.}h.{h.}h.}h..}hRich.}h................PE..L....B.5.....................l............................................... ..........................................................0W..................................................................@........................................text............................... ..`.data...............................@....rsrc...0W.......X..................@..@.0248...c,.5C....[.5P....[.5]......5i...b,.5u...........MSVCRT.dll.ADVAPI32.dll.KERNEL32.dll.CRYPT32.dll.CRYPTUI.dll.USER32.dll.........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-MDBKU.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):199680
                                                                                                                                                                                Entropy (8bit):6.678065290017203
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:/zcwXcVnDhH5YI6KkEK7207EmrRelzafK+AnF4xH6dVHwpXpE92jDBSRYO6s0eEw:TUDF5YTyBJuF6DHwpXpfSRYO6Z
                                                                                                                                                                                MD5:6E84AF2875700285309DD29294365C6A
                                                                                                                                                                                SHA1:FC3CB3B2A704250FC36010E2AB495CDC5E7378A9
                                                                                                                                                                                SHA-256:1C158E680749E642E55F721F60A71314E26E03E785CD92E560BF650B83C4C3C8
                                                                                                                                                                                SHA-512:0ADD9479B2FD631BAFC617C787BCA331E915EDC6A29DD72269B6A24490EC1C85E677698E07944F5FF3BD8D849D3D20ACE61A194A044C697FEFCF992C6F05E747
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Wp.6...6...6..-x...6...@...6...@...6...@...6...N...6...6..m6...@...6...@...6...@...6...@...6..Rich.6..........PE..L...lA.O...........!.....^...........h.......p...............................p............@..............................+..<...x....0.......................@..."..................................X...@............p..`............................text....].......^.................. ..`.rdata...s...p...t...b..............@..@.data...P(..........................@....tls......... ......................@....rsrc........0......................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-MQG1O.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):93696
                                                                                                                                                                                Entropy (8bit):6.44977499578729
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:W3Hq5zbjpPQ4Y0epuuwCbDz5xAFKL8kycL7:gHQxPQfGuz5uFKL8kyu7
                                                                                                                                                                                MD5:C26E940B474728E728CAFE5912BA418A
                                                                                                                                                                                SHA1:7256E378A419F8D87DE71835E6AD12FAADAAAF73
                                                                                                                                                                                SHA-256:1AF1AC51A92B36DE8D85D1F572369815404912908C3A489A6CD7CA2350C2A93D
                                                                                                                                                                                SHA-512:BD8673FACD416C8F2EB9A45C4DEEF50E53D0BC41E6B3941FC20CDA8E2D88267205526DADB44BD89869BD333BF7D6F8DB589C95997E1F3322F7A66A09D562B1DF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................`....C.k.....m.....X.....o...........Y.....h.....i.....n....Rich...........PE..L....A.O...........!................p.....................................................@..........................O.......F..x...................................................................0F..@...............l............................text...~........................... ..`.rdata..............................@..@.data........p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-N252S.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):108544
                                                                                                                                                                                Entropy (8bit):6.45689405407938
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:ES2ipxnUGhrFxZHkZvmYHG+iI2iV6nu+ZfX6AKVqzzF+:ES2ipxUSwv/m+1rAKVqz5
                                                                                                                                                                                MD5:051652BA7CA426846E936BC5AA3F39F3
                                                                                                                                                                                SHA1:0012007876DDE3A2D764249AD86BC428300FE91E
                                                                                                                                                                                SHA-256:8ECA993570FA55E8FE8F417143EEA8128A58472E23074CBD2E6AF4D3BB0F0D9A
                                                                                                                                                                                SHA-512:005B22BD5A4CCA9930C5ECA95AF01FC034BB496F4E599CAC3F20B0B9CE0957B4DB685B8E47977E5B289DC5CF1C8A81F4DD7434D0347E41D008E2C8F7F12006F0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D[...[...[...R...Y.......S...4...Z...4...Y...4...P...[......4./.z...4...Z...4...Z...4...Z...Rich[...........................PE..L....A.O...........!.....n...:.......w....................................................@............................................................................................................@...............D............................text....l.......n.................. ..`.rdata...............r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-OC01J.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):12288
                                                                                                                                                                                Entropy (8bit):5.576295270591411
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:y8/u6mEWZYr/YDmJrFirLPAxHU413X7PVlD63YlFfP:1/uHE6Yr/Y+h0AlU4prPVlZlFfP
                                                                                                                                                                                MD5:9AE76DB13972553A5DE5BDD07B1B654D
                                                                                                                                                                                SHA1:0C4508EB6F13B9B178237CCC4DA759BFF10AF658
                                                                                                                                                                                SHA-256:38A906373419501966DAF6EC19CA2F8DB7B29609128AE5CB424D2AA511652C29
                                                                                                                                                                                SHA-512:DB6FD98A2B27DD7622F10491BBA08793D26AB59016D6862168AAD278644F737DDDBD312A690DED5091D5E999DC3C3518FD95B200124BE8349829E5CE6685CF4B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................g......j......_......h............^......o......n......i....Rich............................PE..L...mA.O...........!.................".......0...............................p............@.........................P6......l2..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata..R....0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..(....`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-OOQTT.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):239
                                                                                                                                                                                Entropy (8bit):5.244078670555102
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:rFHGxQ61kH7HE9bwe9hc1axKsyyL4eJ/nleB/H7HE9bkgjqY1axKs5v:r026ebH279hc14KsyyL/J/nAB/bH271e
                                                                                                                                                                                MD5:2F75CB7D681782F34E407A53FB42DF05
                                                                                                                                                                                SHA1:4371FB4F570BBCE02FFCF374D7F093B583E653B0
                                                                                                                                                                                SHA-256:203862ED6BA60B1BBB22C5777ED47E69FE75EF51F5C497B3D832BBF4DD736780
                                                                                                                                                                                SHA-512:DFC70F8C5322385B67C6C19B4F9D2D21BD024E3C6CE62384CC283DDA0D03A13DB691229D76B302FAD04D518928F71175ADCFFCFD4FED0B2A93FFB417BD90B1B8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:FOR /F "tokens=*" %%A IN ('dir /B "%APPDATA%\Mozilla\Firefox\Profiles\*.default*"') DO set FIREFOX_PROFILE_DIR=%%A..%2\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "%APPDATA%\Mozilla\Firefox\Profiles\%FIREFOX_PROFILE_DIR%\." -i %1..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-RG9HR.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):56
                                                                                                                                                                                Entropy (8bit):4.503434386188784
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
                                                                                                                                                                                MD5:E40A3D559E4B85251943E071CD036D90
                                                                                                                                                                                SHA1:10FC58DF075108C912589F7954244A807776A0FB
                                                                                                                                                                                SHA-256:E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
                                                                                                                                                                                SHA-512:07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview://..lockPref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-SC7SE.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):798720
                                                                                                                                                                                Entropy (8bit):6.523188898405281
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:uN/cDx/LcwkjTGAq8f54Y6ifuGJk3c8IXRvg/W68IALE/ZcaFL4FzS17BAw:6ci+m9LEazS1
                                                                                                                                                                                MD5:A1C4628D184B6AB25550B1CE74F44792
                                                                                                                                                                                SHA1:C2C447FD2FDA68C0EC44B3529A2550D2E2A8C3BC
                                                                                                                                                                                SHA-256:3F997D3F1674DE9FD119F275638861BC229352F12C70536D8C83A70FCC370847
                                                                                                                                                                                SHA-512:07737AC24C91645D9B4D376327B84CB0B470CECBAD60920D7EE0E9B11EF4EEB8EE68FB38BF74B5D1F8817D104CECC65E461950242D940E8FF9CA64CE9D3FFBB7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..............T.......Y......l.......[..............m.T.....\.......].......Z.....Rich............PE..L....A.O...........!.....2..........V;.......P...............................p............@..........................z..zb...Z..................................TS..................................0Z..@............P...............................text...^0.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\is-V9QB2.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):103936
                                                                                                                                                                                Entropy (8bit):6.464020030097691
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:est2WKOxRTftkVeSl8w5d3wgtRgc7k8w:GWKOzTlkVzl8w8yRDA8w
                                                                                                                                                                                MD5:0C6B43C9602F4D5AC9DCF907103447C4
                                                                                                                                                                                SHA1:7A77C7AE99D400243845CCE0E0931F029A73F79A
                                                                                                                                                                                SHA-256:5950722034C8505DAA9B359127FEB707F16C37D2F69E79D16EE6D9EC37690478
                                                                                                                                                                                SHA-512:B21B34A5886A3058CE26A6A5A6EAD3B1EBAE62354540492FB6508BE869E7D292B351C0913461B47C4CC0C6A73333AAD33CD9399BCB1F83C7DACFDB7F2EE1F7A9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P..........................{......{......{.........6..{./....{......Rich...........................PE..L....A.O..........................................@.......................................@.................................Tq.......................................................................p..@...............h............................text...d........................... ..`.rdata..............................@..@.data................z..............@....reloc..D............|..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\libnspr4.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):199680
                                                                                                                                                                                Entropy (8bit):6.678065290017203
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:/zcwXcVnDhH5YI6KkEK7207EmrRelzafK+AnF4xH6dVHwpXpE92jDBSRYO6s0eEw:TUDF5YTyBJuF6DHwpXpfSRYO6Z
                                                                                                                                                                                MD5:6E84AF2875700285309DD29294365C6A
                                                                                                                                                                                SHA1:FC3CB3B2A704250FC36010E2AB495CDC5E7378A9
                                                                                                                                                                                SHA-256:1C158E680749E642E55F721F60A71314E26E03E785CD92E560BF650B83C4C3C8
                                                                                                                                                                                SHA-512:0ADD9479B2FD631BAFC617C787BCA331E915EDC6A29DD72269B6A24490EC1C85E677698E07944F5FF3BD8D849D3D20ACE61A194A044C697FEFCF992C6F05E747
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Wp.6...6...6..-x...6...@...6...@...6...@...6...N...6...6..m6...@...6...@...6...@...6...@...6..Rich.6..........PE..L...lA.O...........!.....^...........h.......p...............................p............@..............................+..<...x....0.......................@..."..................................X...@............p..`............................text....].......^.................. ..`.rdata...s...p...t...b..............@..@.data...P(..........................@....tls......... ......................@....rsrc........0......................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\libplc4.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):14336
                                                                                                                                                                                Entropy (8bit):5.794541181301596
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:y39iNAtUyE7ioVwAFzuh+pOWo1v26wJMnnnLIQBIc3X7PVlD6QHS6CV+:mRUyZoVwAFzusie6wcZxrPVlpHS6c+
                                                                                                                                                                                MD5:1FAE68B740F18290B98B2F9E23313CC2
                                                                                                                                                                                SHA1:FA3545DC8DB38B3B27F1009E1D61DC2949DF3878
                                                                                                                                                                                SHA-256:751C2156DC00525668DD990D99F7F61C257951C3FAD01C0EE6359FCDFF69F933
                                                                                                                                                                                SHA-512:5386AAD83C76C625E2D64439B2B25BDA8D0F8B1EB9344B58306883B66675D1F1E98E3189C1BC29CD4B2C98A9D4A594761488AAE04D3748BBA5775A51425B11EC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;aS.0...]o^.3...]ok.0...]o\.7...2.......]oj.(...]o[.3...]oZ.3...]o].3...Rich2...................PE..L...oA.O...........!.................'.......0...............................p............@......................... 8.......3..P....P.......................`.......................................3..@............0...............................text...T........................... ..`.rdata.......0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\libplds4.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):12288
                                                                                                                                                                                Entropy (8bit):5.576295270591411
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:y8/u6mEWZYr/YDmJrFirLPAxHU413X7PVlD63YlFfP:1/uHE6Yr/Y+h0AlU4prPVlZlFfP
                                                                                                                                                                                MD5:9AE76DB13972553A5DE5BDD07B1B654D
                                                                                                                                                                                SHA1:0C4508EB6F13B9B178237CCC4DA759BFF10AF658
                                                                                                                                                                                SHA-256:38A906373419501966DAF6EC19CA2F8DB7B29609128AE5CB424D2AA511652C29
                                                                                                                                                                                SHA-512:DB6FD98A2B27DD7622F10491BBA08793D26AB59016D6862168AAD278644F737DDDBD312A690DED5091D5E999DC3C3518FD95B200124BE8349829E5CE6685CF4B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................g......j......_......h............^......o......n......i....Rich............................PE..L...mA.O...........!.................".......0...............................p............@.........................P6......l2..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata..R....0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..(....`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\local-settings.js (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                Entropy (8bit):4.4385634049235
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
                                                                                                                                                                                MD5:30573ACFC9586271A3F800A10C284479
                                                                                                                                                                                SHA1:9CC1A1329258379698A04C33DC5D62E9CE8E06FD
                                                                                                                                                                                SHA-256:30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
                                                                                                                                                                                SHA-512:4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nss3.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):798720
                                                                                                                                                                                Entropy (8bit):6.523188898405281
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:uN/cDx/LcwkjTGAq8f54Y6ifuGJk3c8IXRvg/W68IALE/ZcaFL4FzS17BAw:6ci+m9LEazS1
                                                                                                                                                                                MD5:A1C4628D184B6AB25550B1CE74F44792
                                                                                                                                                                                SHA1:C2C447FD2FDA68C0EC44B3529A2550D2E2A8C3BC
                                                                                                                                                                                SHA-256:3F997D3F1674DE9FD119F275638861BC229352F12C70536D8C83A70FCC370847
                                                                                                                                                                                SHA-512:07737AC24C91645D9B4D376327B84CB0B470CECBAD60920D7EE0E9B11EF4EEB8EE68FB38BF74B5D1F8817D104CECC65E461950242D940E8FF9CA64CE9D3FFBB7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..............T.......Y......l.......[..............m.T.....\.......].......Z.....Rich............PE..L....A.O...........!.....2..........V;.......P...............................p............@..........................z..zb...Z..................................TS..................................0Z..@............P...............................text...^0.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nssckbi.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):370176
                                                                                                                                                                                Entropy (8bit):6.863300763286356
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:eeP90QTcdMTWfpUwFygo5zUM38ME/Hs3nXHkUX:eA/TcWTWfpf0gmzY03nXHkUX
                                                                                                                                                                                MD5:D1243817A1B22B855DE0852CF5B53BF5
                                                                                                                                                                                SHA1:C64F4851A2FCFE8D1E4A5B5743498870B676755E
                                                                                                                                                                                SHA-256:93E99CFBA00348BE3A102DC9F41ACD39BBA91D7F4E0149A9EA6C53FCC50ADAEE
                                                                                                                                                                                SHA-512:59ABD87F8DA58F0F4D8D3919A84B2E4FA853AA0E76DBFEA3BC011E21267909ED7C3BB42A714F030773767329A8D3DA0810E789AB5A061BC0E4452159849C4CC2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??fs{^. {^. {^. r&. y^. .(. z^. .(. y^. .(. r^. {^. C^. .(. R^. .(. z^. .(. z^. .(. z^. Rich{^. ................PE..L....A.O...........!......................................................................@..........................6..P...L1..x...............................t,...................................0..@............................................text............................... ..`.rdata..07.......8..................@..@.data....T...@...R... ..............@....rsrc................r..............@..@.reloc.../.......0...v..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nssdbm3.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):108544
                                                                                                                                                                                Entropy (8bit):6.45689405407938
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:ES2ipxnUGhrFxZHkZvmYHG+iI2iV6nu+ZfX6AKVqzzF+:ES2ipxUSwv/m+1rAKVqz5
                                                                                                                                                                                MD5:051652BA7CA426846E936BC5AA3F39F3
                                                                                                                                                                                SHA1:0012007876DDE3A2D764249AD86BC428300FE91E
                                                                                                                                                                                SHA-256:8ECA993570FA55E8FE8F417143EEA8128A58472E23074CBD2E6AF4D3BB0F0D9A
                                                                                                                                                                                SHA-512:005B22BD5A4CCA9930C5ECA95AF01FC034BB496F4E599CAC3F20B0B9CE0957B4DB685B8E47977E5B289DC5CF1C8A81F4DD7434D0347E41D008E2C8F7F12006F0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D[...[...[...R...Y.......S...4...Z...4...Y...4...P...[......4./.z...4...Z...4...Z...4...Z...Rich[...........................PE..L....A.O...........!.....n...:.......w....................................................@............................................................................................................@...............D............................text....l.......n.................. ..`.rdata...............r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\nssutil3.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):93696
                                                                                                                                                                                Entropy (8bit):6.44977499578729
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:W3Hq5zbjpPQ4Y0epuuwCbDz5xAFKL8kycL7:gHQxPQfGuz5uFKL8kyu7
                                                                                                                                                                                MD5:C26E940B474728E728CAFE5912BA418A
                                                                                                                                                                                SHA1:7256E378A419F8D87DE71835E6AD12FAADAAAF73
                                                                                                                                                                                SHA-256:1AF1AC51A92B36DE8D85D1F572369815404912908C3A489A6CD7CA2350C2A93D
                                                                                                                                                                                SHA-512:BD8673FACD416C8F2EB9A45C4DEEF50E53D0BC41E6B3941FC20CDA8E2D88267205526DADB44BD89869BD333BF7D6F8DB589C95997E1F3322F7A66A09D562B1DF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................`....C.k.....m.....X.....o...........Y.....h.....i.....n....Rich...........PE..L....A.O...........!................p.....................................................@..........................O.......F..x...................................................................0F..@...............l............................text...~........................... ..`.rdata..............................@..@.data........p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PEM certificate
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1574
                                                                                                                                                                                Entropy (8bit):5.905699622879769
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:LrcG/hfz7O7nw+U7KjD0GGicvgUvih9DfJJ/GWb6YUOBceQEjY1CkRi8XJ:LrcGpfz7Snw+U7pGVUwBjGWb69OAR55
                                                                                                                                                                                MD5:CBF5A63CD967ED0D899F0C6D173C0BC6
                                                                                                                                                                                SHA1:FAF581B198C85AB2A57914E21F31BEC7609DC871
                                                                                                                                                                                SHA-256:CFD3AD2B4B7F86FFAD7056078F0490291BE71C5E0A0630F1E45DDE452BA5D81A
                                                                                                                                                                                SHA-512:E6F268F1581691EC4A4BD6B818CCABFA27BA7F07400F1732003C9E5B26865CAF8BAEC2B2EC4BE52BC0E6A4B51C661E851952E946D7BB5FEF764BB3124A315F8A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIEXTCCA0WgAwIBAgIJAK/4uEUcRr/QMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTQxMTEx.MTk0NjIzWhcNMjQxMTA4MTk0NjIzWjCBvDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEYMBYGA1UEAwwPUkRNIERldmljZSBSb290MSIwIAYJKoZIhvcNAQkB.FhNzdXBwb3J0QHJkbWNvcnAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB.CgKCAQEA501CdfXCdhUItY0JA5Y0MJ/TK/OH5UTVicWn+Knyi0GRGNDIh5N9dDeo.5X21bwACHZtHpWwMiL2PcH+hR0dw2Fmf6zDQBYKGeGy6wU7L0b7S8TbyivGW+Ks9.pS4LRQoKnzY6eF9bIxFhbaUBgbq/KJWxQIm4EOXMSejmgmk/Koh9+7P8jVb9kp1S.9AaVDz45j6b/zTkzzR4EP+GVVozWMZN4whDmE2EprxzcCkxr1GY0mEfHxCjLq2il.rF9Mz6Cr1vL19Gu1HxMbdAJSM1qIAxAG5Xbl9oAPzMUHwzdXpLzj9hfhkzqUFV

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\smime3.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):97792
                                                                                                                                                                                Entropy (8bit):6.240650542976671
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:xtTRGG7+CF7k9QTPHkis9rGDE9tJ7kdsolb5XpIKz1TpNs6IRcgAGEFDGSs1f8b6:xGG6CF7k9QbHkCE9tJ7kdsW5Xh5s6IRV
                                                                                                                                                                                MD5:A5C670EDF4411BF7F132F4280026137B
                                                                                                                                                                                SHA1:C0E3CBDDE7D3CEBF41A193EECA96A11CE2B6DA58
                                                                                                                                                                                SHA-256:ABA2732C7A016730E94E645DD04E8FAFCC173FC2E5E2AAC01A1C0C66EAD1983E
                                                                                                                                                                                SHA-512:ACFCDE89A968D81363AE1CD599A6A362B047AE207722FEA8541577AC609BC5FEFB2231ED946E13F0B4B3BCD56B947C13837C1B9E360D521EC7D580BEFCBB0F46
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.?...4.k.Y...7.k.Y...4.k.Y...;.k.6.j..k.Y.....k.Y..7.k.Y..7.k.Y...7.k.Rich6.k.........................PE..L....A.O...........!.........j...............0............................................@.........................Pj..v...\N.......................................................................M..@............0...............................text............................... ..`.rdata...S...0...T..................@..@.data...h............l..............@....rsrc................n..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\softokn3.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):172544
                                                                                                                                                                                Entropy (8bit):6.496240878001019
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:KfHTwBGo4uYvGG3byHhQNP4IP/zsu9zvKwMNJ+Z/9tRpK:KsGTudG3GHhMz3SNY9R
                                                                                                                                                                                MD5:2AB31C9401870ADB4E9D88B5A6837ABF
                                                                                                                                                                                SHA1:4F0FDD699E63F614D79ED6E47EF61938117D3B7A
                                                                                                                                                                                SHA-256:22ECECE561510F77B100CFF8109E5ED492C34707B7B14E0774AAA9CA813DE4AD
                                                                                                                                                                                SHA-512:BC58C4DA15E902351F1F161E9D8C1EE4D10ACEB5EDA7DEF4B4454CADF4CD9F437118BA9D63F25F4F0A5694E9D34A4DEF33D40AD51EFB1CDEBB6F02A81C481871
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.e./.6./.6./.6.W.6./.6;a.6./.6.Y.6./.6.Y36./.6.Y.6./.6./.61/.6.Y26./.6.Y.6./.6.Y.6./.6.Y.6./.6Rich./.6................PE..L....A.O...........!.....*...x.......3.......@............................................@.................................<...................................|...................................x...@............@...............................text....(.......*.................. ..`.rdata...O...@...P..................@..@.data................~..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\sqlite3.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):423936
                                                                                                                                                                                Entropy (8bit):6.751461394308889
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:Cf41DoFqNI3Cm39XWYJkW07RlqHYOE1o2exosU8iZEJKvncrghAvLWDKnADA3/AF:DD76rrQ7ngYLo2MliPSghmLYk3/n
                                                                                                                                                                                MD5:B58848A28A1EFB85677E344DB1FD67E6
                                                                                                                                                                                SHA1:DAD48E2B2B3B936EFC15AC2C5F9099B7A1749976
                                                                                                                                                                                SHA-256:00DB98AB4D50E9B26ECD193BFAD6569E1DD395DB14246F8C233FEBBA93965F7A
                                                                                                                                                                                SHA-512:762B3BD7F1F1A5C3ACCDE8C36406B9BEADD4270C570EB95A05935C1F7731513938AE5E99950C648B1EACDD2A85F002319B78B7E4EA9577C72335A2FA54796B13
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,J..h+.Yh+.Yh+.YaS0Yj+.Y.]?Yk+.Yh+.Y&+.Y.]=Yd+.Y.].Yj+.Y.].Yf+.Y.]8Yi+.Y.]>Yi+.YRichh+.Y........................PE..L....A.O...........!......................................................................@..........................J.......C..<...............................@&..................................@B..@...............@............................text............................... ..`.rdata..............................@..@.data........`.......D..............@....reloc..Z(.......*...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\ssl3.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):190976
                                                                                                                                                                                Entropy (8bit):6.662915165682162
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:82ya/vPWqodwFYAjkiV6vnjBr/WPUShgk04YZEnhacoAX8+FeHbnGmgjZzpTBfRP:j7JoiVGj+hIWNmKFpTBJ8B
                                                                                                                                                                                MD5:717DBDF0E1F616EA8A038259E273C530
                                                                                                                                                                                SHA1:926CE8EC8F79B62202ED487C5FB0C3E1A18F5F70
                                                                                                                                                                                SHA-256:E3227EA4C39F5B44F685EEA13D9F6663945E46B12CABE5D29DAEF28B6EEF1A9B
                                                                                                                                                                                SHA-512:C09BF38AC93C350DFD0638BEEDD40FBCC9435A06B0013D214F57B181C1B4292E4B8A8310DB2DB48200BCFED872BC656EA92A207ACB6F7B344E3F134226C2AB3F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Af......................jq......jq=.....jq..............jq<.5...jq......jq......jq......Rich............................PE..L....A.O...........!.................".......0............................... ............@.........................p...j.......................................l......................................@............0...............................text............................... ..`.rdata......0......................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\umbrella.cfg (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):56
                                                                                                                                                                                Entropy (8bit):4.503434386188784
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
                                                                                                                                                                                MD5:E40A3D559E4B85251943E071CD036D90
                                                                                                                                                                                SHA1:10FC58DF075108C912589F7954244A807776A0FB
                                                                                                                                                                                SHA-256:E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
                                                                                                                                                                                SHA-512:07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview://..lockPref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                Entropy (8bit):4.720366600008286
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3131328
                                                                                                                                                                                Entropy (8bit):6.377177227761894
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:FEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF33383:J92bz2Eb6pd7B6bAGx7b333Y
                                                                                                                                                                                MD5:895924B96B8B7BC52781E921E0AB93B8
                                                                                                                                                                                SHA1:3574ED0904E9386F602E181592F3DCF951A4F36B
                                                                                                                                                                                SHA-256:8CAC9F851CF868D6764058F43CC63DADF6CF7964D12E45367156AC4F7626AD55
                                                                                                                                                                                SHA-512:C8FF044AACB9E21BD211F0946FCF78222543CFBA0266D026831D35ADB21109A84132485A91BA9E0333EC2856F82D22EDDE1BE7251D2EA5FEA535709E85CD43CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....A.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):21344240
                                                                                                                                                                                Entropy (8bit):7.9920082797846455
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:393216:zDKiNwxu9WmQpO4nkCRhllVNadBQHL7knIjajuzM3Cm8OScfeaNCL:3Nwxm4nxl26eeRzaNCL
                                                                                                                                                                                MD5:FAC28B29942B43B885400CCBCBC47C06
                                                                                                                                                                                SHA1:925740916D539D1F8056FC1967F128350DDC8A4C
                                                                                                                                                                                SHA-256:DACB2CB40AC4A01D1019D5C785465593034CD054A44948F4275901349B256F59
                                                                                                                                                                                SHA-512:5508ADBFD6A6C8028EB5A7E047B901330A42291F414BD044BEDCCBC01E3C447CC73404417A94FDFC5BF037A258AA0062C553F531C450EA6256B0E9AA527AEEC8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.................................4zF...@......@...................@....... ..6....p...e..........0.E..+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_RDM_Support_4.0.3.1.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11928472
                                                                                                                                                                                Entropy (8bit):7.97829322027277
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:MbQGEYGXa/YhG9vzXa1OJVy9K8Z/8Y+BoNFpxZobTlOSQ3+LZV7o1/Nlz7W4vJQ:MQGEYGXUYhG9jqOJg9c2N4XlzZVM1/NO
                                                                                                                                                                                MD5:CFC2E44506ED4779B9A86D49965B2025
                                                                                                                                                                                SHA1:2510EDCD610C02BEB3C48ACC3CBB39268D73410B
                                                                                                                                                                                SHA-256:7022B1000A335E1DAF89DB12A3E06067E3E21163BDE4CF4D5E7893B539BEC7F9
                                                                                                                                                                                SHA-512:C5672AC0092B46576158F0AD58C8D7A894D114E14B988A1AC3D0703C4DE0F24FB098F3E96B12EA6DDEC7148BCEC0546FBD211B71D33683D60CC882F2C55B0BA7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.......................................@......@...................@....... ..6....p...e..............+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):8080584
                                                                                                                                                                                Entropy (8bit):7.958496147012039
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:rQ1ATfurodNWgauwGyktkN70QBzQHpnJnP31pthdiATb7h:rkAz4wjVkN70QaHpnJP/tnt
                                                                                                                                                                                MD5:A1234F8D3A7122BE13679CFA0D9EB3E6
                                                                                                                                                                                SHA1:BE122B7E2975465F9E1372609D65B8400E7DB25C
                                                                                                                                                                                SHA-256:AB1CA7E6F5ECE61E914482A89E21EE633C3FFD57BD76358DCE41AA1854477A1B
                                                                                                                                                                                SHA-512:14A0C568074A762D8DD5968B4A18331C02772D48E44B4179134BA8F489F54221826F63A6E1BFECEC709745B42C37B4181412046DFF528FCC72AE5437F061B65E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@..................................>|...@......@...................@....... ..6....p...e........... {..+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):6144
                                                                                                                                                                                Entropy (8bit):4.720366600008286
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\is-MBNC4.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):21344240
                                                                                                                                                                                Entropy (8bit):7.9920082797846455
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:393216:zDKiNwxu9WmQpO4nkCRhllVNadBQHL7knIjajuzM3Cm8OScfeaNCL:3Nwxm4nxl26eeRzaNCL
                                                                                                                                                                                MD5:FAC28B29942B43B885400CCBCBC47C06
                                                                                                                                                                                SHA1:925740916D539D1F8056FC1967F128350DDC8A4C
                                                                                                                                                                                SHA-256:DACB2CB40AC4A01D1019D5C785465593034CD054A44948F4275901349B256F59
                                                                                                                                                                                SHA-512:5508ADBFD6A6C8028EB5A7E047B901330A42291F414BD044BEDCCBC01E3C447CC73404417A94FDFC5BF037A258AA0062C553F531C450EA6256B0E9AA527AEEC8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.................................4zF...@......@...................@....... ..6....p...e..........0.E..+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\is-QG9IC.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):11928472
                                                                                                                                                                                Entropy (8bit):7.97829322027277
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:MbQGEYGXa/YhG9vzXa1OJVy9K8Z/8Y+BoNFpxZobTlOSQ3+LZV7o1/Nlz7W4vJQ:MQGEYGXUYhG9jqOJg9c2N4XlzZVM1/NO
                                                                                                                                                                                MD5:CFC2E44506ED4779B9A86D49965B2025
                                                                                                                                                                                SHA1:2510EDCD610C02BEB3C48ACC3CBB39268D73410B
                                                                                                                                                                                SHA-256:7022B1000A335E1DAF89DB12A3E06067E3E21163BDE4CF4D5E7893B539BEC7F9
                                                                                                                                                                                SHA-512:C5672AC0092B46576158F0AD58C8D7A894D114E14B988A1AC3D0703C4DE0F24FB098F3E96B12EA6DDEC7148BCEC0546FBD211B71D33683D60CC882F2C55B0BA7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.......................................@......@...................@....... ..6....p...e..............+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\is-VVEV9.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):8080584
                                                                                                                                                                                Entropy (8bit):7.958496147012039
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:196608:rQ1ATfurodNWgauwGyktkN70QBzQHpnJnP31pthdiATb7h:rkAz4wjVkN70QaHpnJP/tnt
                                                                                                                                                                                MD5:A1234F8D3A7122BE13679CFA0D9EB3E6
                                                                                                                                                                                SHA1:BE122B7E2975465F9E1372609D65B8400E7DB25C
                                                                                                                                                                                SHA-256:AB1CA7E6F5ECE61E914482A89E21EE633C3FFD57BD76358DCE41AA1854477A1B
                                                                                                                                                                                SHA-512:14A0C568074A762D8DD5968B4A18331C02772D48E44B4179134BA8F489F54221826F63A6E1BFECEC709745B42C37B4181412046DFF528FCC72AE5437F061B65E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@..................................>|...@......@...................@....... ..6....p...e........... {..+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-RTC54.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3131344
                                                                                                                                                                                Entropy (8bit):6.377169247154071
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:8EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF3338u:892bz2Eb6pd7B6bAGx7b333J
                                                                                                                                                                                MD5:9ECEDBF75204AF13FD44FEE9708AD1A1
                                                                                                                                                                                SHA1:3228B4C4281EAD90E8CBEAE44944A695484809BE
                                                                                                                                                                                SHA-256:91918F711F94703DB4ECFD02582DB2856B718BDEA6B31410D92C002F54806896
                                                                                                                                                                                SHA-512:3CF1DC3B96F217D5C1ED8109041CA8BA2D4F1FB07EEA86CF5208F2905F598FB537DDBEF21A5C67D3857A0EF747F8E6DE950C77E8D62333F66024C58055F018BB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....I.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):721920
                                                                                                                                                                                Entropy (8bit):6.497907284408831
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:psMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0zyx9z4:qMcMoi3rPR37dzHRA6G7WbuSEmK50zyo
                                                                                                                                                                                MD5:62B4483DC79B5846006C0C644B51FE6C
                                                                                                                                                                                SHA1:30DCCA8EBCB80128FFF8FDCA10AF6ED47C3B240C
                                                                                                                                                                                SHA-256:91378CB7224E7DF682C155128674E5725201F71F946DC798815830FD298D22D5
                                                                                                                                                                                SHA-512:2A279A079B64B9A6297F3A3C079D6FCC1B5F371DC0D043AE6E2AF8EDDDE145AC8B890B0212579D3DEE0D8C6B28A210C30F5E5F2CFA2919DE94A28AC20CB6745C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................h....................@.......................................@......@...............................&.......+...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc....+.......,..................@..P.....................r..............@..P........................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert8.db

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe
                                                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                Entropy (8bit):1.4097925170857268
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:CrC2cmCKmB2cO4x/QxSMs6m3mSusOmzm9mi:ACCIB2dA5WSusvqgi
                                                                                                                                                                                MD5:3ED5AB9564924E31AAE67F324210760B
                                                                                                                                                                                SHA1:EA032153A32181951BCD2999AE5F5E3685DCCE60
                                                                                                                                                                                SHA-256:09E566F2005A221D7645878CB4F893504103859CABA1E35C6F6939F3365A9A6F
                                                                                                                                                                                SHA-512:F83DA6ECB7ECC48D9334207B26AD69A871BDCA623677BAFBA369B742693BD1160DA96C5237C3A1C315AA4DF1B112310FA49762DF25E2C27DF87B2DFAB926E1B3
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Preview:...a..........@..................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key3.db

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe
                                                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16384
                                                                                                                                                                                Entropy (8bit):1.062224752487581
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Lt/hV/plfltt/lE9lllnldl/lyGltdl/l8/fNDqLwFBVHxCJPgRpbw8aRay:5X9cvV3Xy/fvDkJYR+LD
                                                                                                                                                                                MD5:747ABF96A195B4B48A2A6D786EC803F3
                                                                                                                                                                                SHA1:1492A4195CE3D94AF6A882FA8D038B06880DE4D2
                                                                                                                                                                                SHA-256:89250449B4DFC492D410328D1F5A36D5AC1C3BE66C2E3DD4F9F1C11F0F8A1D9C
                                                                                                                                                                                SHA-512:9008EEB87825DD06FABFFE2968F1D353D2043F4DF5CAEB4F285D4421181FD59BF2D4689DC35FFD646F204EDA12728FE3588EF681DC9E4FD46711F0E2DE7ADD86
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\secmod.db

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe
                                                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16384
                                                                                                                                                                                Entropy (8bit):1.0717636186665822
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:5NGVqnXyMLXWvhsudhJfBQILDcGuyrJvGyvP:SonXyDvTDf+GVvP
                                                                                                                                                                                MD5:E682D0E27D9ED4B3AD0B3B15C76FE283
                                                                                                                                                                                SHA1:48EB0AD13020D7C6E8D09E0651C8DA6705B3E46C
                                                                                                                                                                                SHA-256:A4AF254335D62EFB02B944DA83E999251A1F409F1D22D9F929A80FB7516F7608
                                                                                                                                                                                SHA-512:78CCCE2B5312E9D505D5BA5C96C08AA5ED6363C47C7C3A97E00D8EB1C774E159623D9DC51DB0B4DAE17653107ECB69938731DCBBC1A0878A59285CB096511213
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):421200
                                                                                                                                                                                Entropy (8bit):6.59808962341698
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                                                                                                                                                                MD5:03E9314004F504A14A61C3D364B62F66
                                                                                                                                                                                SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                                                                                                                                                                SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                                                                                                                                                                SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):770384
                                                                                                                                                                                Entropy (8bit):6.908020029901359
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                                                MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                                                SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                                                SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                                                SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Installer\495214.msi

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):155136
                                                                                                                                                                                Entropy (8bit):6.337010677866242
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                                                                                                                                                                MD5:CD2B99BB86BA6A499110C72B78B9324E
                                                                                                                                                                                SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                                                                                                                                                                SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                                                                                                                                                                SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                C:\Windows\Installer\495217.msi

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):155136
                                                                                                                                                                                Entropy (8bit):6.337010677866242
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                                                                                                                                                                MD5:CD2B99BB86BA6A499110C72B78B9324E
                                                                                                                                                                                SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                                                                                                                                                                SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                                                                                                                                                                SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                C:\Windows\Installer\MSI5466.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):16258
                                                                                                                                                                                Entropy (8bit):6.139570109049996
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:sipqWRW40Duy6kJ62TGomsbAGciKPRflcigtCWSBhR:s5WRW40qy6kJ62TGorAJiKPRuigtMhR
                                                                                                                                                                                MD5:2A03699D47E1D27B6FC76EE5D3B69E45
                                                                                                                                                                                SHA1:B84CB7454D2DA30047D767E9A083D15D315D6FFE
                                                                                                                                                                                SHA-256:DBE9C87B9E647BB87A5C9749343428488906D5112F6F383308488FC5970CAD0A
                                                                                                                                                                                SHA-512:BC1F7484E0996EA90BC0171D46CFA65A6BD23CF829596E09C769C4C4726F3259657ED663BCE982EC30A2409128512B13B39C0A7964F0C3C3DEC93256E0806C91
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:...@IXOS.@.....@pt_Y.@.....@.....@.....@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..vc_red.msi.@.....@ov...@.....@........&.{F035AD1C-45C3-4166-865F-C2F7CD4958B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@2....@.....@.]....&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}@.02:\SOFTWARE\Microsoft\VisualStudio\10.0\VC\VCRedist\x86\Version.@.......@.....@.....@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}D.02:\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\red\x86\1033\Install.@.......@.....@.....@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}D.c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.@.......@.....@.....@......&.{529D0A60-398C-38A2-97EF-82FAFA798A06}..c:\Win

                                                                                                                                                                                C:\Windows\Installer\SourceHash{196BB40D-1578-3D01-B289-BEFC77A11A1E}

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                Entropy (8bit):1.5342970706288699
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:JSbX72Fj0AZWhLIlHZRpQhd7777777777777777777777777Coy9DHFVa+7EpPe8:JmptINToy5/poJegvZRdsH6DxDDZFNx
                                                                                                                                                                                MD5:EA309B81BA5374EEA9C3E4220696F480
                                                                                                                                                                                SHA1:C66C52916417CC52B360B0A4425D4BA7EC566A25
                                                                                                                                                                                SHA-256:4274EEA937688A620FEC9EC144211811816AB49F7E2253AD66E1B08937F815EB
                                                                                                                                                                                SHA-512:E1DD14B9B47AADE49F93620E6AF5C5AEDA2509A82A1C216D4E80803C048A56EFD1EE9DE24CA762C63DC552A10584D1638D0EFF414ABE9673EE1F75B3F1E14BCD
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                Entropy (8bit):1.6096545552410748
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:78PhduRc06WXJWjT5mv/MSyedCVE7vmZSbedCcb6QCZfQBj:ihd1tjTIv/M/nVCvkWnLQCZoB
                                                                                                                                                                                MD5:B50507E8795F25C0050874026DDBECDB
                                                                                                                                                                                SHA1:FA43AF3AA883BC4320F06B1558D6732AB4258CD1
                                                                                                                                                                                SHA-256:97AC484E0664D4A8FAC30FC495E0A6C24E7B460FC88794753604B411CC12D8D0
                                                                                                                                                                                SHA-512:0E71F71A7F3B214502FFFC5DDBC8B3F1952A195D50279C2DA5FCEEE4D598E5AD54F243AD5DC492791F90310C5EC3ADC19D50F3E96513729EA852140D73CACCA8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):360001
                                                                                                                                                                                Entropy (8bit):5.362989182630606
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaub:zTtbmkExhMJCIpEe
                                                                                                                                                                                MD5:368BC28C108EFD53EE6301B18A3414F2
                                                                                                                                                                                SHA1:DAFE252F8268FEC92F81BA824348146767ECF71D
                                                                                                                                                                                SHA-256:40E56DA4559E352C95E96FEC8E51100CCB187B9AC0415E8199999F56185D066F
                                                                                                                                                                                SHA-512:59835851553CC788897179BD6778329629EBF48082ED0C06FCB546E6A96C8DF2B20CB90BA59362182DE8DC5D28F12082BFDF030CCAA2E0255C89AC26AF76B44F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                C:\Windows\SysWOW64\RDMUtil.exe (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):72704
                                                                                                                                                                                Entropy (8bit):5.120663111013087
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:08OHRuSkCJ/fUHhO3YhnBtTmSOa+X4ZU9qZU9DrGIL:0REGJ/fUBOohLO34p5G
                                                                                                                                                                                MD5:E916105F7E59F8AD0F5B80B1E91D4F37
                                                                                                                                                                                SHA1:D4BC9CFDD22AC7FDB600BB3A67CA153C686C00DC
                                                                                                                                                                                SHA-256:BFF873FC93F1FDED5634C2771ED307F8D10AD0F08235F3B727A660A8DA1EEAE5
                                                                                                                                                                                SHA-512:B5176E542C2E9BFF51000A4A62C49330CF8AB21F02D13169C3982C850F22B3D1B3F5F8A916DFF5A0B0A78E43699E746ECB172A211CD32FF9AE2F9478DB3155CE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.V...8...8...8..Q....8.......8..Q....8..Q....8..Q....8.j.....8.j.....8.......8.......8...9...8..Q....8.j.....8.j.....8.Rich..8.................PE..L...p..Y.................2...........7.......P....@..........................`.......&....@..................................Y...............................P......pR...............................U..@............P..0............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......N..............@....rsrc................P..............@..@.reloc..z....P......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\atl100.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):138056
                                                                                                                                                                                Entropy (8bit):6.453257536048564
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:XGAbjYAiKWDEvB+55/Ho4y6P5sxQ2euRA9ot:z+KWovoP/Ho4BP5wdUS
                                                                                                                                                                                MD5:36D7D05505951F542922DF4C725CC57D
                                                                                                                                                                                SHA1:074902FF54D30EF6EE2FD6EBE475526CAC84670C
                                                                                                                                                                                SHA-256:74B7C86B75CFAF5121554BD8CC4DD8E496458311070FA43B9B4FB13B4D8C8EAB
                                                                                                                                                                                SHA-512:4C7F9445703FC79F595739CFC0D4E24DADE4C9959F6CB24840B020E98943F4DBED9C2937187165452215AB0A683D1159C4D629E22BFFA625BF08286FCE657889
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..ni..=i..=i..=`.z=k..=..g=f..=..S=...=`.j=j..=i..=...=..R=D..=..b=h..=..c=h..=..d=h..=Richi..=........PE..L.....K.........."!.........x.....................x.........................`......*.....@.........................P...........(........"..............H....0.. ....................................@..@...............|............................text...!........................... ..`.data....0..........................@....rsrc....".......$..................@..@.reloc..8 ...0..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\iconv.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):888832
                                                                                                                                                                                Entropy (8bit):7.332816074914905
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:Vf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLY:ZuscKu6GaXUT4IBAUZLY
                                                                                                                                                                                MD5:73AF5773BF5627FE771BF6809EC839F9
                                                                                                                                                                                SHA1:69D9597991DD0D1C6B478174AAA85B0E8175D0A7
                                                                                                                                                                                SHA-256:6CD69191469BF13F0CEA70837BAC9B1E7871C116F5F6F18BEF5A6A9575C020C9
                                                                                                                                                                                SHA-512:64B631454D1D16709AE96CCA95E8E3DD6049841C53EF6C4643B1A5B28A32FE6BFACB86337E93B5F9F2ABF43D0233B094646B8065D3C1FAFEAAB7C3D6E371B864
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... . . .(... ..(. ..(... . . ..(... .,... .,... .m+... .,... .Rich. .................PE..L...0.YD...........!................................................................................................0K.......I..<....`.......................p..........................................................P............................text............................... ..`.rdata..1|..........................@..@.data...X....P.......P..............@....rsrc........`.......`..............@..@.reloc..F....p... ...p..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\is-B4BSA.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):986112
                                                                                                                                                                                Entropy (8bit):6.797825325058922
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:jgL7cjlDxmgi/Fxzbk9qHymaMdzRUIfZYQZOj5xCtxE0d77nPhy4aCGJf:UvchXvmaMdlUoZi5xCLP79qV
                                                                                                                                                                                MD5:8793F1C87B8729661C79E738C3294CDC
                                                                                                                                                                                SHA1:5DA2159F029AC01B6BDCF29534F3EBAF5EFDEF1C
                                                                                                                                                                                SHA-256:A916F107FA78273EE104DCF8F0729D237F2E60647A389E81DBE424201274E618
                                                                                                                                                                                SHA-512:3F228C822A1592083D321CFE5E75D284B740B9199CD2C57BA7E3582E4CB47BDBB103E61D7D70281C38979FAE9D749E542CF457640BAF9675DC01073076513E51
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@T..............G.......q.......!.......s.......s......./.u.....q.4.....r.......t.....Rich....................PE..L...=..L...........!................m........................................P.................................................x....................................................................................................................text...h........................... ..`.rdata..g...........................@..@.data...d............j..............@....reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\is-FD1BT.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):72704
                                                                                                                                                                                Entropy (8bit):5.120663111013087
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:08OHRuSkCJ/fUHhO3YhnBtTmSOa+X4ZU9qZU9DrGIL:0REGJ/fUBOohLO34p5G
                                                                                                                                                                                MD5:E916105F7E59F8AD0F5B80B1E91D4F37
                                                                                                                                                                                SHA1:D4BC9CFDD22AC7FDB600BB3A67CA153C686C00DC
                                                                                                                                                                                SHA-256:BFF873FC93F1FDED5634C2771ED307F8D10AD0F08235F3B727A660A8DA1EEAE5
                                                                                                                                                                                SHA-512:B5176E542C2E9BFF51000A4A62C49330CF8AB21F02D13169C3982C850F22B3D1B3F5F8A916DFF5A0B0A78E43699E746ECB172A211CD32FF9AE2F9478DB3155CE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.V...8...8...8..Q....8.......8..Q....8..Q....8..Q....8.j.....8.j.....8.......8.......8...9...8..Q....8.j.....8.j.....8.Rich..8.................PE..L...p..Y.................2...........7.......P....@..........................`.......&....@..................................Y...............................P......pR...............................U..@............P..0............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......N..............@....rsrc................P..............@..@.reloc..z....P......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\is-MD2IU.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):888832
                                                                                                                                                                                Entropy (8bit):7.332816074914905
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:Vf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLY:ZuscKu6GaXUT4IBAUZLY
                                                                                                                                                                                MD5:73AF5773BF5627FE771BF6809EC839F9
                                                                                                                                                                                SHA1:69D9597991DD0D1C6B478174AAA85B0E8175D0A7
                                                                                                                                                                                SHA-256:6CD69191469BF13F0CEA70837BAC9B1E7871C116F5F6F18BEF5A6A9575C020C9
                                                                                                                                                                                SHA-512:64B631454D1D16709AE96CCA95E8E3DD6049841C53EF6C4643B1A5B28A32FE6BFACB86337E93B5F9F2ABF43D0233B094646B8065D3C1FAFEAAB7C3D6E371B864
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... . . .(... ..(. ..(... . . ..(... .,... .,... .m+... .,... .Rich. .................PE..L...0.YD...........!................................................................................................0K.......I..<....`.......................p..........................................................P............................text............................... ..`.rdata..1|..........................@..@.data...X....P.......P..............@....rsrc........`.......`..............@..@.reloc..F....p... ...p..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\is-OQIAI.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):77824
                                                                                                                                                                                Entropy (8bit):5.8489695835244095
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:bw6vENCUvhLcSCE/StC0KuFLRO5ZikoHBc1m7s4wixE+XwVY/nToIf18IOsIOIiy:bDvENBhA+WjPLAVY/nToIfCIOsIOIip
                                                                                                                                                                                MD5:72E87AD407BB28F5B471C3396296B377
                                                                                                                                                                                SHA1:15CD01170FF8D8531FB16F4F7A1C5FBE810A1057
                                                                                                                                                                                SHA-256:91EC6085E862E1EEDC254BF88EFECD4FA67F486216AB3B1473915D15462E71BB
                                                                                                                                                                                SHA-512:1569939514C0E30E2FBF7D81586ADA53931AC36B11F306B95B5E0741C6B32C45D88D33271223C99CD4FBD585F0675D5188557E5DFE6901F9FBB2E3E8EC98A698
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2.@.2.@.2.@.:.@.2.@.:.@.2.@.2.@.2.@.:.@.2.@.>.@.2.@.>.@.2.@`9.@.2.@.>.@.2.@Rich.2.@........................PE..L......L...........!................3.............LZ.........................0..................................................<............................ ......`...................................................H............................text............................... ..`.rdata...H.......P..................@..@.data...P...........................@....rsrc...............................@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\libxml2.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):986112
                                                                                                                                                                                Entropy (8bit):6.797825325058922
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:jgL7cjlDxmgi/Fxzbk9qHymaMdzRUIfZYQZOj5xCtxE0d77nPhy4aCGJf:UvchXvmaMdlUoZi5xCLP79qV
                                                                                                                                                                                MD5:8793F1C87B8729661C79E738C3294CDC
                                                                                                                                                                                SHA1:5DA2159F029AC01B6BDCF29534F3EBAF5EFDEF1C
                                                                                                                                                                                SHA-256:A916F107FA78273EE104DCF8F0729D237F2E60647A389E81DBE424201274E618
                                                                                                                                                                                SHA-512:3F228C822A1592083D321CFE5E75D284B740B9199CD2C57BA7E3582E4CB47BDBB103E61D7D70281C38979FAE9D749E542CF457640BAF9675DC01073076513E51
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@T..............G.......q.......!.......s.......s......./.u.....q.4.....r.......t.....Rich....................PE..L...=..L...........!................m........................................P.................................................x....................................................................................................................text...h........................... ..`.rdata..g...........................@..@.data...d............j..............@....reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4342088
                                                                                                                                                                                Entropy (8bit):7.051728105290309
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:98304:BZP0PvxMJfTcXPSo0akd+BPSLC4IEy+XNy136jCfsqLhDIJJGN8mFLOAkGkzdnEe:BZP2iIE80qLrHFLOyomFHKnPAG
                                                                                                                                                                                MD5:07BCCDCC337D393D7DB0B2F8FE200B3F
                                                                                                                                                                                SHA1:5A02B227CB0A22A8E7884CD138C3E8568D083D94
                                                                                                                                                                                SHA-256:BF38DDA13B938B49A4DF72B6477342373EE6E151BE12C25CB0C17662FCB4BCD4
                                                                                                                                                                                SHA-512:E5637727A549CF7B88F13474097A71200F0DFA511ECD55C5A42E5F53E9F86CE8B7CE763448830FD073E232876F7537BAD96F2CED8D3159558778460264D07639
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................x.......g.....E.c.......e.......Q.......P......h.........,.....T.L.....`.......a.......f.....Rich....................PE..L......K.........."!.....B*..:......oA%......`*....x..........................B.....{.B...@......................... x)......>)......P+.H............*B.H....`?.8..../..................................@...............0....#)......................text...#A*......B*................. ..`.data...l....`*......F*.............@....rsrc...H....P+.......*.............@..@.reloc...P...`?..R....>.............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100chs.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36176
                                                                                                                                                                                Entropy (8bit):5.5666055070859155
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:I5divsXPqptLkrHyTby9XVLwMi2jXHUIv:wi0XPqptLUHCbyBVL39rHUIv
                                                                                                                                                                                MD5:8BF73FAA44C897C1812F2DACF0EAAF8A
                                                                                                                                                                                SHA1:C9D4E010FC9069F44028AA54CF4AC3329CA2AB2F
                                                                                                                                                                                SHA-256:8D1E7FB72BCEB10215108D48FE4FA6AEA1F03636F56FC3BE5E6D5552C4094C46
                                                                                                                                                                                SHA-512:61C0609E0BEEC2985FE8FC7839C17463DA685D39221D648FAA8C7F088627A6C514A8FCFE71948ADF2D3F28B2AF78F8653FE5E4771D7C1AB000FC2F7463D09E8C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!.........t....................6]......................................@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100cht.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36176
                                                                                                                                                                                Entropy (8bit):5.622324615571566
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:SuufpTVI4pk7kn4TJVM3i/EhKTMi2jpvAx:+pTVI4pk4noVM3XhKg95Ax
                                                                                                                                                                                MD5:4AD997573259D5BBF211D9FB2BBA3DB0
                                                                                                                                                                                SHA1:C9A8BADE464A2AEDF823CE147529A74DA5416038
                                                                                                                                                                                SHA-256:90ADEFDCD57C9CE8C5E542FCBDA108860427E9334BD9BFE564AD5556683BC954
                                                                                                                                                                                SHA-512:4C630D8ED88DB6062561BCF379235E9CA113C1F9F5DD54A6A9088E5D31B38573B6C891376E76AF0BDEAE360F47D714F2DE8AD9632C7FECB1FC3FF0CA7FC6022B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!.........t....................6].................................U....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100deu.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):64336
                                                                                                                                                                                Entropy (8bit):4.138154922872674
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:fVPidQr0OWqnn0BDhCPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9j95a:fVidQr0OWqnnShCPu6V4aGCWRZX0bhpv
                                                                                                                                                                                MD5:5F522204B79025F0D5870076111409F3
                                                                                                                                                                                SHA1:6A17C85B6C4B3F33F2B8D8755EA38D5B0C092168
                                                                                                                                                                                SHA-256:CE1FC625509D697A2CD174115A593158AD9EED5B97967E619421696FC01D381E
                                                                                                                                                                                SHA-512:405B8DEAB3E87618C0C1238585E0CA7C22E66984148568AF5915B2E908B6C07218774667839B67481661E14727FBF95061A78802E6154286C229170F42A0F1A0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]......................................@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100enu.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):55120
                                                                                                                                                                                Entropy (8bit):4.197711698709668
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:EgIdijcuEhCgySa6B1CLPLNq5f/nWHBNheOU2fd5WMi2jpvm:3I0ifySa6B8PLNYf/nWHNTdv95m
                                                                                                                                                                                MD5:D21165B7DBCC968CD829C00608F5694E
                                                                                                                                                                                SHA1:E6882666F88572624AB77074CEAD86448A6CF641
                                                                                                                                                                                SHA-256:14C4069CD931E9CD3F519D321CE50E4E531C385403C124FFEE7CA7831B0ADB63
                                                                                                                                                                                SHA-512:A3F00761110214C1FFEE78A008A1E17C9969B12B2B3D33C655E47D9E3E6ED13AFAC000402C24F3C20878348C8970856098EC89ABF426D9F990F4C71309E73B62
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................P.....@.............................................0...............P............................................................................................rsrc...0...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100esn.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):63824
                                                                                                                                                                                Entropy (8bit):4.069449731249543
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:aYE0Kv+BU69x6rg/PKuCOCF3OKWRElJRZRIvpsMi2jXHU/kv2:LA+q69x68/PKuFm3OKWkRZRIp9rHUk2
                                                                                                                                                                                MD5:81C0790DBD237317E4BA2908F53E045A
                                                                                                                                                                                SHA1:70A077458CAD7E76B23F0FF77D6CFCB9F0FA4693
                                                                                                                                                                                SHA-256:DC5ABB34069E3E8E1451E36B44822DEF82B624F9811F825D417874202A4A242C
                                                                                                                                                                                SHA-512:47D4ABA0F7691FDA6E388646767C3D99C2781F21BF58A46399750DC780C160CBC1060B8923767CAE2546BDE58B6F631C6AC4583711E15F9460BCDE7637BD7D3A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]......................................@.............................................P...............P............................................................................................rsrc...P...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100fra.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):64336
                                                                                                                                                                                Entropy (8bit):4.118195590576372
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:kqth26iN6NjZELIaYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2J:FNPqLIaQA2SCHj0jt95Q
                                                                                                                                                                                MD5:BDB98792CE6C2654F14E1BF47263527B
                                                                                                                                                                                SHA1:60E946BF95ABAE671E9F88CE5AE7ADA6D2CA0B5C
                                                                                                                                                                                SHA-256:6AB663A7C7A648DDDB428ACDBC8CBC91C66C93A52323DF1A519BFEAEA9A4F6EC
                                                                                                                                                                                SHA-512:3747B0CC87D20FA0D0F8FACB43AE917FDB174665B4363FAC2943787ABE4C645D36C73B40327FBA33F87F0C8C65CB33375F9E91A3A75D7EDD791AFB89F17E9FE1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................;....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100ita.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):62288
                                                                                                                                                                                Entropy (8bit):4.093367290099013
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:K6E6XaEYyqbK15MEBigDGxNIlW3gyCQQQjeqS1hDsiiUWTVqMi2jXHUd:naEOs5MEBigSxNIlW37oETb9rHUd
                                                                                                                                                                                MD5:3301A48EC56740776326760858936BCD
                                                                                                                                                                                SHA1:BDDC636C935A4C965FF6A4723EC754CFA09DA8C6
                                                                                                                                                                                SHA-256:7E36BA0E433F5478B1F405388870533EE2B631A4BEE992EB6C5708797A8E0B25
                                                                                                                                                                                SHA-512:E23604EB225435D941BB57D93AABCD9F4652CC6A1BEC4579064A0C9FD794D5A64B959A98ED8636EF127F37C7671C36BF27C13EBD1309968D43EBBA7117D49072
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................=.....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100jpn.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):43856
                                                                                                                                                                                Entropy (8bit):5.449702782814297
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:dsTbayVn/IatJxtr10/euKRHIWIMi2jXHUh:GTeyp/Is/uMl9rHUh
                                                                                                                                                                                MD5:6A7F31C6FAFEA0EF7F17A9B17B247254
                                                                                                                                                                                SHA1:78C3614453D4FB5F96BD21B7CE66E9D5C8C22FCC
                                                                                                                                                                                SHA-256:93CCF853A22AD5C9A3BC9F0D87FAB3E356C728332E5968E38B3751C03179B06A
                                                                                                                                                                                SHA-512:CC6332E4406D5109CF1522BDA36C1C05B83542ADBF180D88286F08F3E5F260A84A20898B2539E9BAECC6D86EED503EB9ED05AEC2B26672C044EF9A0FB8F12E7D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................m.....@.............................................X...............P............................................................................................rsrc...X...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100kor.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):43344
                                                                                                                                                                                Entropy (8bit):5.551158148566457
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:fVz754LQTN3kraHniJNB2I7CvquMi2jXHUPc:151TN3VniJv2I7CvqZ9rHUPc
                                                                                                                                                                                MD5:B5A093F44E7E5C618A7698839DF6583C
                                                                                                                                                                                SHA1:F4707CF3D4CBE81E9A680B74C201C386ECA8649E
                                                                                                                                                                                SHA-256:C3DC021011FE766D54927F6865936B3B9473E5BC38BB1BBACB94A0C739C4A16D
                                                                                                                                                                                SHA-512:937DA004BB71A4B764CEB284D2760E71247F47A6D4D2EAA594A4269C2F5E2A2701DCA91493248D3E6BD08A6AE0C9C3A0342C1B1B8DE180010159E129A2FB0004
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................s....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100rus.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):60752
                                                                                                                                                                                Entropy (8bit):4.6896553999495465
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:yURq/lFXOv/iuqN9TMIVhtZ3FckD+SyMi2jpv2l:MDXOv/ahTVV952l
                                                                                                                                                                                MD5:6D163D436251978D14E4C80F33385D76
                                                                                                                                                                                SHA1:CC1957B2D9ADEBC1946CAF3E8DCA08623E43842F
                                                                                                                                                                                SHA-256:8597AFF5549E1F14805F288CE69C0DCE270ED0C1D6515A4C923004F0D753240C
                                                                                                                                                                                SHA-512:0CD9DEF6C62180CF7D90EED35D6FAB73DDFABA91C0642111EB592896FDB50EC4E1CEEA21F298F10AA6290AFEA208B961C979F075FCFAD169674965E0E01F5995
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................m....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                C:\Windows\SysWOW64\mfc100u.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4368720
                                                                                                                                                                                Entropy (8bit):7.026244983352001
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:98304:zge9f+eJ5LbHVlaHqQ1NaXJw9QxCqk23i3ggGe9SfcoLDPiHkKos7FLOAkGkzdnR:zxf5cBudLps7FLOyomFHKnPAw
                                                                                                                                                                                MD5:F841F32AD816DBF130F10D86FAB99B1A
                                                                                                                                                                                SHA1:0F8B90814B33275CF39F95E769927497DA9460BF
                                                                                                                                                                                SHA-256:7A4CFBCE1EB48D4F8988212C2E338D7781B9894EF0F525E871C22BB730A74F3E
                                                                                                                                                                                SHA-512:6222F16722A61EE6950B6FBCBE46C2B08E2394CE3DD32D34656FAF2719E190E66B4E59617C83F117AD3793B1292A107F275087B037CF1B6E4D9819323748079A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................x.......g.....E.c.......e.......Q.......P......h.........?.....T.L.....`.......a.......f.....Rich............PE..L......K.........."!......*..>......=.%.......*..._x......................... C.......C...@.........................`.).`...t.).......+.H.............B.P.....?.0... /...............................>..@...................h.)......................text.....*.......*................. ..`.data.........*.......*.............@....rsrc...H.....+......<+.............@..@.reloc...R....?..T...>?.............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\mfcm100.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):80208
                                                                                                                                                                                Entropy (8bit):6.173505901056785
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:KKfLgly77rSxB8p/KGefmLQBY3pROBCrU95:KYg877rwB8p/KGefmLJ3pROBCrU95
                                                                                                                                                                                MD5:09FF12BAE0EB3E6E688609095390D34B
                                                                                                                                                                                SHA1:49511F73B54E8F702C7EA769331558B8705DFEC3
                                                                                                                                                                                SHA-256:0FEF52F0378B75600B828172377DEA92F8CE4F9CB2E0DCEE5D96300EA6D102DD
                                                                                                                                                                                SHA-512:D7EA7B78CE34E5DFC3EBFA2268C8349469854D02DC4C3423D517DD3B74FFD283409EEB275676F68F6DDC514D8D05EBD44125EA630064493D10AEFA4749974EBC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`..C..C..C..JyO.A..]S_.A..,wP.F...OT.B..,wR.B..,wf.O..Jy_.G..C.....,wg.V..,wW.B..,wV.B..,wQ.B..RichC..........................PE..L......K.........."!.....B...*......PN.......`.....x......................................@......................... +.......$..x...................."..P............b.............................. n..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data....P...0......................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\mfcm100u.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):80720
                                                                                                                                                                                Entropy (8bit):6.164375554936668
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:+iH8I62fuAyjBi28NaHmOKGefmLQBw93OBOQky9rHUWe:+jI62fxKT8NaHhKGefmLH93OBOQky9o1
                                                                                                                                                                                MD5:9BF0CB63876BA82B8178EC733F6510C7
                                                                                                                                                                                SHA1:BBC2580DA25AE39655D6A042761F8A753A9F127F
                                                                                                                                                                                SHA-256:D9A7C9ECF9C022B2FBFE1EFEEA5215A7CAA2BF95674FA88DD5E35AFDB310E80A
                                                                                                                                                                                SHA-512:D61D38530D40201AB6934CF256728D24E597065FAE12A77B36103B5CE3BD19B342B436BF54C56949F11B957C4F93795E059EE4784EFD213C22E9E6FB072E24A5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`..C..C..C..JyO.A..]S_.A..,wP.F...OT.B..,wR.B..,wf.O..Jy_.G..C.....,wg.V..,wW.B..,wV.B..,wQ.B..RichC..........................PE..L......K.........."!.....B...D......PN.......`.....x................................h"....@..........................+......T%..x....................$..P............b..............................0n..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data...<h...0......................@....rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\vcomp100.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):51024
                                                                                                                                                                                Entropy (8bit):6.5875642480554895
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:NEYT1tiIlhnRlp+nbBjzzLSXI/Je9rHU6k:BYIl7lp+nbdz4I/U9oH
                                                                                                                                                                                MD5:631945C6518533A9FADAAA8E98F4AB5B
                                                                                                                                                                                SHA1:34B856EBDDA19B5AB96ED77FB5FB82A00CFE023A
                                                                                                                                                                                SHA-256:2011268947625670A758382E811C71B597B615F1763F8D30A5195B80DA4644FC
                                                                                                                                                                                SHA-512:1CBBC26787AEADE276B30582124B7C457F352754BDDF72A709E90EA884F09CC1327EBBA3087ECB3224762438F669F860C640B18B1863995955E429B3ED894372
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\}...........wjQ....wje.....d\.......'..wj`....wjT....wjU....wjR....Rich...........PE..L......K.........."!................#X.............r................................".....@.................................t...<.......................P.......\.......................................@............................................text............................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\SysWOW64\zlib1.dll (copy)

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):77824
                                                                                                                                                                                Entropy (8bit):5.8489695835244095
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:bw6vENCUvhLcSCE/StC0KuFLRO5ZikoHBc1m7s4wixE+XwVY/nToIf18IOsIOIiy:bDvENBhA+WjPLAVY/nToIfCIOsIOIip
                                                                                                                                                                                MD5:72E87AD407BB28F5B471C3396296B377
                                                                                                                                                                                SHA1:15CD01170FF8D8531FB16F4F7A1C5FBE810A1057
                                                                                                                                                                                SHA-256:91EC6085E862E1EEDC254BF88EFECD4FA67F486216AB3B1473915D15462E71BB
                                                                                                                                                                                SHA-512:1569939514C0E30E2FBF7D81586ADA53931AC36B11F306B95B5E0741C6B32C45D88D33271223C99CD4FBD585F0675D5188557E5DFE6901F9FBB2E3E8EC98A698
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2.@.2.@.2.@.:.@.2.@.:.@.2.@.2.@.2.@.:.@.2.@.>.@.2.@.>.@.2.@`9.@.2.@.>.@.2.@Rich.2.@........................PE..L......L...........!................3.............LZ.........................0..................................................<............................ ......`...................................................H............................text............................... ..`.rdata...H.......P..................@..@.data...P...........................@....rsrc...............................@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF0EC83F0E65EE12B0.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF127A1869B3F68668.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF1386C6F9AF1F3A80.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF3D72CEC8148414A4.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF3F0A43FDF4AA6197.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):73728
                                                                                                                                                                                Entropy (8bit):0.15192436375750867
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:PBjfRZf5b6QoipV5QG+RdCaipVkQG+RdCIwEV+j6DTNgNlGu3+OdXj6DTi:PBj5Zf5b6QoSbedCaSyedCVE7vmnEv
                                                                                                                                                                                MD5:6A54761CCF33304C38A253B400A0D250
                                                                                                                                                                                SHA1:70572F5278113F1804BE5611DF8751CCE3E58B7F
                                                                                                                                                                                SHA-256:6DB8FB26C3B6F4B6354C960FA10DD8158D26B017EAB77841833F0035C564EB92
                                                                                                                                                                                SHA-512:08DC09B01952819FE308FABCED2B5D3C86C4BB041A2CBCEEDF83E6AF357EA9C2D490C6D21313AE7F43137579FC22A3387C28FFA10DDC1BB9B9F9CE64545B8574
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF423E64C944B76F6D.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF50180EA67B6C33B7.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                Entropy (8bit):1.6096545552410748
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:78PhduRc06WXJWjT5mv/MSyedCVE7vmZSbedCcb6QCZfQBj:ihd1tjTIv/M/nVCvkWnLQCZoB
                                                                                                                                                                                MD5:B50507E8795F25C0050874026DDBECDB
                                                                                                                                                                                SHA1:FA43AF3AA883BC4320F06B1558D6732AB4258CD1
                                                                                                                                                                                SHA-256:97AC484E0664D4A8FAC30FC495E0A6C24E7B460FC88794753604B411CC12D8D0
                                                                                                                                                                                SHA-512:0E71F71A7F3B214502FFFC5DDBC8B3F1952A195D50279C2DA5FCEEE4D598E5AD54F243AD5DC492791F90310C5EC3ADC19D50F3E96513729EA852140D73CACCA8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF622BB4CC77476921.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                Entropy (8bit):1.285528089316545
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ZMluQI+CFXJxT5Lv/MSyedCVE7vmZSbedCcb6QCZfQBj:elgZT1v/M/nVCvkWnLQCZoB
                                                                                                                                                                                MD5:C54BD5021E7FD262CC2CAD8C1184F104
                                                                                                                                                                                SHA1:E6FAE901BC468A6A5ACFC6B2CAE0A037DDE07F8C
                                                                                                                                                                                SHA-256:549AEEEB59CA020D37F735990BB865BFE1DCDA4B7D55F079603AE75B89E79EE9
                                                                                                                                                                                SHA-512:1AD6532F3A677F0294F8DE9AC00DE02B6BDA6F0BE7416C8E2F838F56690B3E78853B3E805C27F7174CF953EB07D8640F52DE8ACB44B427C74F23036FA8BE620D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF7741DD7BA6D35224.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                Entropy (8bit):1.285528089316545
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ZMluQI+CFXJxT5Lv/MSyedCVE7vmZSbedCcb6QCZfQBj:elgZT1v/M/nVCvkWnLQCZoB
                                                                                                                                                                                MD5:C54BD5021E7FD262CC2CAD8C1184F104
                                                                                                                                                                                SHA1:E6FAE901BC468A6A5ACFC6B2CAE0A037DDE07F8C
                                                                                                                                                                                SHA-256:549AEEEB59CA020D37F735990BB865BFE1DCDA4B7D55F079603AE75B89E79EE9
                                                                                                                                                                                SHA-512:1AD6532F3A677F0294F8DE9AC00DE02B6BDA6F0BE7416C8E2F838F56690B3E78853B3E805C27F7174CF953EB07D8640F52DE8ACB44B427C74F23036FA8BE620D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DF873BC625DAE51CCF.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                Entropy (8bit):1.285528089316545
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:ZMluQI+CFXJxT5Lv/MSyedCVE7vmZSbedCcb6QCZfQBj:elgZT1v/M/nVCvkWnLQCZoB
                                                                                                                                                                                MD5:C54BD5021E7FD262CC2CAD8C1184F104
                                                                                                                                                                                SHA1:E6FAE901BC468A6A5ACFC6B2CAE0A037DDE07F8C
                                                                                                                                                                                SHA-256:549AEEEB59CA020D37F735990BB865BFE1DCDA4B7D55F079603AE75B89E79EE9
                                                                                                                                                                                SHA-512:1AD6532F3A677F0294F8DE9AC00DE02B6BDA6F0BE7416C8E2F838F56690B3E78853B3E805C27F7174CF953EB07D8640F52DE8ACB44B427C74F23036FA8BE620D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DFD8CF03F2391EE303.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                Entropy (8bit):0.3364159434289711
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:oBWxx0i8n0itFzDHFVa+7EpPeJMVvh/J09RSdIpHMsULzkQDTrWQDTrWB9CrclWS:vxOF0ml/poJegvZRdsH6DxDD
                                                                                                                                                                                MD5:597116FD1A30D7512E5BBBE0FB943CBA
                                                                                                                                                                                SHA1:C595A0C8390069463DF1E05AF16B4676E245CAFA
                                                                                                                                                                                SHA-256:9579E3B1C16ADCCBE22F7E80F96245FB00939C15BAE5E32390580E588DC8DD28
                                                                                                                                                                                SHA-512:1992613B1DBB8867F19CA5F2E9380CB8A6D554B417A4E3874A2D9C981B3932992A51140891C53E6ED10F5737346A467A11DB8992DB3D7935E48F2ADEC5340AB5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Windows\Temp\~DFD9A3704073F3FE9B.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):20480
                                                                                                                                                                                Entropy (8bit):1.6096545552410748
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:78PhduRc06WXJWjT5mv/MSyedCVE7vmZSbedCcb6QCZfQBj:ihd1tjTIv/M/nVCvkWnLQCZoB
                                                                                                                                                                                MD5:B50507E8795F25C0050874026DDBECDB
                                                                                                                                                                                SHA1:FA43AF3AA883BC4320F06B1558D6732AB4258CD1
                                                                                                                                                                                SHA-256:97AC484E0664D4A8FAC30FC495E0A6C24E7B460FC88794753604B411CC12D8D0
                                                                                                                                                                                SHA-512:0E71F71A7F3B214502FFFC5DDBC8B3F1952A195D50279C2DA5FCEEE4D598E5AD54F243AD5DC492791F90310C5EC3ADC19D50F3E96513729EA852140D73CACCA8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                \Device\ConDrv

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):19
                                                                                                                                                                                Entropy (8bit):3.5110854081804286
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:RoHQGQB5:RZGU5
                                                                                                                                                                                MD5:E3AC0178A28CF8E44D82A62FAE2290D7
                                                                                                                                                                                SHA1:C0F1C66E831ADD5EA81B19BFA0E85D1D2CA192BA
                                                                                                                                                                                SHA-256:2C61108AC0158F555B0632F5658D79D502B0929F2090848A7DEB77158667D43C
                                                                                                                                                                                SHA-512:F7C2290526630DEF784459621007F389D720034D3BCE1EFF9B761C7A959061FDB465B9D239290EB543E7B0CFB41682361D0400459621F8756A8A09782F33693A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:CertMgr Succeeded..

                                                                                                                                                                                Static File Info

                                                                                                                                                                                General

                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Entropy (8bit):7.997566234375059
                                                                                                                                                                                TrID:
                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                                                                • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                File name:WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
                                                                                                                                                                                File size:41'523'552 bytes
                                                                                                                                                                                MD5:c20f986ed82e351e90b8a8140ccbf8e9
                                                                                                                                                                                SHA1:9b62da430088fb0a73deaa8fb99ca7df89ffc0b2
                                                                                                                                                                                SHA256:d8475f7c55ff4a9e40c2593b477d2bed7d7c3e8f79ef3eed64a61794b328f130
                                                                                                                                                                                SHA512:49c491a3b7c7c1fbbb261e56970bff9db03956f3473c0cf7852287f4a209b92021e72a3e35974d840090d7c0c589b140fc006fc836b3d24f087b48c14c877a26
                                                                                                                                                                                SSDEEP:786432:RVXAo87HPSrQgT+Kykoo1AMLOf6HxyDoOi/JUBTKtF41Zfh2+4Bp5V1y:hCHqrQD+oSYSHS7i/yBGtF8g5V1y
                                                                                                                                                                                TLSH:6197337BB265253EC09E163244739A10A8BBA7A1755BCC2E5BF04B4DCF798310F3B259
                                                                                                                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                File Icon

                                                                                                                                                                                Icon Hash:a8545a58561232cd

                                                                                                                                                                                Static PE Info

                                                                                                                                                                                General

                                                                                                                                                                                Entrypoint:0x4b5eec
                                                                                                                                                                                Entrypoint Section:.itext
                                                                                                                                                                                Digitally signed:true
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                Time Stamp:0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                OS Version Minor:1
                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                File Version Minor:1
                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                Subsystem Version Minor:1
                                                                                                                                                                                Import Hash:5a594319a0d69dbc452e748bcf05892e

                                                                                                                                                                                Authenticode Signature

                                                                                                                                                                                Signature Valid:true
                                                                                                                                                                                Signature Issuer:CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                                                                                                Signature Validation Error:The operation completed successfully
                                                                                                                                                                                Error Number:0
                                                                                                                                                                                Not Before, Not After
                                                                                                                                                                                • 09/07/2021 21:36:32 09/10/2024 21:36:32
                                                                                                                                                                                Subject Chain
                                                                                                                                                                                • CN=Deluxe Corporation, OU=Deluxe Corporation, O=Deluxe Corporation, L=Shoreview, S=Minnesota, C=US
                                                                                                                                                                                Version:3
                                                                                                                                                                                Thumbprint MD5:5ECB230EA62F6310DA00D39156E7E87F
                                                                                                                                                                                Thumbprint SHA-1:F1D7BFF5EC16EA44FE89983F1B04092CED35C8F2
                                                                                                                                                                                Thumbprint SHA-256:3397A9A9A8E7E4B706E20ED8FF303ADA2A711DBC6B3FF84B9F3B5DCDF1613321
                                                                                                                                                                                Serial:2A92FB53E470AC968584EF08

                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                Instruction
                                                                                                                                                                                push ebp
                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                add esp, FFFFFFA4h
                                                                                                                                                                                push ebx
                                                                                                                                                                                push esi
                                                                                                                                                                                push edi
                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                                mov dword ptr [ebp-40h], eax
                                                                                                                                                                                mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                                mov dword ptr [ebp-30h], eax
                                                                                                                                                                                mov dword ptr [ebp-38h], eax
                                                                                                                                                                                mov dword ptr [ebp-34h], eax
                                                                                                                                                                                mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                                mov dword ptr [ebp-28h], eax
                                                                                                                                                                                mov dword ptr [ebp-14h], eax
                                                                                                                                                                                mov eax, 004B10F0h
                                                                                                                                                                                call 00007F3470E2CF35h
                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                push ebp
                                                                                                                                                                                push 004B65E2h
                                                                                                                                                                                push dword ptr fs:[eax]
                                                                                                                                                                                mov dword ptr fs:[eax], esp
                                                                                                                                                                                xor edx, edx
                                                                                                                                                                                push ebp
                                                                                                                                                                                push 004B659Eh
                                                                                                                                                                                push dword ptr fs:[edx]
                                                                                                                                                                                mov dword ptr fs:[edx], esp
                                                                                                                                                                                mov eax, dword ptr [004BE634h]
                                                                                                                                                                                call 00007F3470ECF65Fh
                                                                                                                                                                                call 00007F3470ECF1B2h
                                                                                                                                                                                lea edx, dword ptr [ebp-14h]
                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                call 00007F3470E429A8h
                                                                                                                                                                                mov edx, dword ptr [ebp-14h]
                                                                                                                                                                                mov eax, 004C1D84h
                                                                                                                                                                                call 00007F3470E27B27h
                                                                                                                                                                                push 00000002h
                                                                                                                                                                                push 00000000h
                                                                                                                                                                                push 00000001h
                                                                                                                                                                                mov ecx, dword ptr [004C1D84h]
                                                                                                                                                                                mov dl, 01h
                                                                                                                                                                                mov eax, dword ptr [004237A4h]
                                                                                                                                                                                call 00007F3470E43A0Fh
                                                                                                                                                                                mov dword ptr [004C1D88h], eax
                                                                                                                                                                                xor edx, edx
                                                                                                                                                                                push ebp
                                                                                                                                                                                push 004B654Ah
                                                                                                                                                                                push dword ptr fs:[edx]
                                                                                                                                                                                mov dword ptr fs:[edx], esp
                                                                                                                                                                                call 00007F3470ECF6E7h
                                                                                                                                                                                mov dword ptr [004C1D90h], eax
                                                                                                                                                                                mov eax, dword ptr [004C1D90h]
                                                                                                                                                                                cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                jne 00007F3470ED5CCAh
                                                                                                                                                                                mov eax, dword ptr [004C1D90h]
                                                                                                                                                                                mov edx, 00000028h
                                                                                                                                                                                call 00007F3470E44304h
                                                                                                                                                                                mov edx, dword ptr [004C1D90h]

                                                                                                                                                                                Data Directories

                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x6588.rsrc
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x2796da00x2bc0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                Sections

                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                .text0x10000xb361c0xb3800ad6e46e3a3acdb533eb6a077f6d065afFalse0.3448639341051532data6.356058204328091IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .itext0xb50000x16880x1800d40fc822339d01f2abcc5493ac101c94False0.544921875data5.972750055221053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .data0xb70000x37a40x38004c195d5591f6d61265df08a3733de3a2False0.36097935267857145data5.044400562007734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                .idata0xc20000xf360x1000a73d686f1e8b9bb06ec767721135e397False0.3681640625data4.8987046479600425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                .didata0xc30000x1a40x20041b8ce23dd243d14beebc71771885c89False0.345703125data2.7563628682496506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                .edata0xc40000x9a0x20037c1a5c63717831863e018c0f51dabb7False0.2578125data1.8722228665884297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .rsrc0xc70000x65880x660064b57db47ddf02799c92b942d5c848fcFalse0.2545955882352941data4.338006249498075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                Resources

                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                RT_ICON0xc74380x3228Device independent bitmap graphic, 64 x 128 x 24, image size 12288EnglishUnited States0.18489096573208721
                                                                                                                                                                                RT_STRING0xca6600x360data0.34375
                                                                                                                                                                                RT_STRING0xca9c00x260data0.3256578947368421
                                                                                                                                                                                RT_STRING0xcac200x45cdata0.4068100358422939
                                                                                                                                                                                RT_STRING0xcb07c0x40cdata0.3754826254826255
                                                                                                                                                                                RT_STRING0xcb4880x2d4data0.39226519337016574
                                                                                                                                                                                RT_STRING0xcb75c0xb8data0.6467391304347826
                                                                                                                                                                                RT_STRING0xcb8140x9cdata0.6410256410256411
                                                                                                                                                                                RT_STRING0xcb8b00x374data0.4230769230769231
                                                                                                                                                                                RT_STRING0xcbc240x398data0.3358695652173913
                                                                                                                                                                                RT_STRING0xcbfbc0x368data0.3795871559633027
                                                                                                                                                                                RT_STRING0xcc3240x2a4data0.4275147928994083
                                                                                                                                                                                RT_RCDATA0xcc5c80x10data1.5
                                                                                                                                                                                RT_RCDATA0xcc5d80x2c4data0.6384180790960452
                                                                                                                                                                                RT_RCDATA0xcc89c0x2cdata1.2045454545454546
                                                                                                                                                                                RT_GROUP_ICON0xcc8c80x14dataEnglishUnited States1.15
                                                                                                                                                                                RT_VERSION0xcc8dc0x584dataEnglishUnited States0.2762039660056657
                                                                                                                                                                                RT_MANIFEST0xcce600x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4005464480874317

                                                                                                                                                                                Imports

                                                                                                                                                                                DLLImport
                                                                                                                                                                                kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                                                                comctl32.dllInitCommonControls
                                                                                                                                                                                version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                                                                                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                                                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                                                                netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                                                                                                advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                                                                                                                                                Exports

                                                                                                                                                                                NameOrdinalAddress
                                                                                                                                                                                TMethodImplementationIntercept30x454060
                                                                                                                                                                                __dbk_fcall_wrapper20x40d0a0
                                                                                                                                                                                dbkFCallWrapperAddr10x4be63c

                                                                                                                                                                                Possible Origin

                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                Network Behavior

                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                2024-10-31T19:35:23.926818+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.649766TCP
                                                                                                                                                                                2024-10-31T19:36:02.122625+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.649957TCP

                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                UDP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Oct 31, 2024 19:36:08.088934898 CET5752253192.168.2.61.1.1.1
                                                                                                                                                                                Oct 31, 2024 19:36:08.097771883 CET53575221.1.1.1192.168.2.6

                                                                                                                                                                                DNS Queries

                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                Oct 31, 2024 19:36:08.088934898 CET192.168.2.61.1.1.10x4e67Standard query (0)126.131.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                DNS Answers

                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                Oct 31, 2024 19:36:08.097771883 CET1.1.1.1192.168.2.60x4e67Name error (3)126.131.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                Statistics

                                                                                                                                                                                CPU Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                Memory Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                Behavior

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                System Behavior

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:0
                                                                                                                                                                                Start time:14:35:04
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE"
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:41'523'552 bytes
                                                                                                                                                                                MD5 hash:C20F986ED82E351E90B8A8140CCBF8E9
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:2
                                                                                                                                                                                Start time:14:35:05
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-J29IE.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp" /SL5="$203DA,40682831,788480,C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE"
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:3'131'328 bytes
                                                                                                                                                                                MD5 hash:C2B12368174C2843B050C1000CD7A7F3
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:3
                                                                                                                                                                                Start time:14:35:12
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_Install_4.0.4.0.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:21'344'240 bytes
                                                                                                                                                                                MD5 hash:FAC28B29942B43B885400CCBCBC47C06
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:4
                                                                                                                                                                                Start time:14:35:13
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-Q0RO4.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$1044C,20499878,788480,C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:3'131'328 bytes
                                                                                                                                                                                MD5 hash:895924B96B8B7BC52781E921E0AB93B8
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:5
                                                                                                                                                                                Start time:14:35:13
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\system32\net.exe" stop RDMAppweb
                                                                                                                                                                                Imagebase:0x2c0000
                                                                                                                                                                                File size:47'104 bytes
                                                                                                                                                                                MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:6
                                                                                                                                                                                Start time:14:35:13
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:7
                                                                                                                                                                                Start time:14:35:13
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:C:\Windows\system32\net1 stop RDMAppweb
                                                                                                                                                                                Imagebase:0xa00000
                                                                                                                                                                                File size:139'776 bytes
                                                                                                                                                                                MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:8
                                                                                                                                                                                Start time:14:35:14
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
                                                                                                                                                                                Imagebase:0x1c0000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:9
                                                                                                                                                                                Start time:14:35:14
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:10
                                                                                                                                                                                Start time:14:35:14
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:tasklist
                                                                                                                                                                                Imagebase:0x7b0000
                                                                                                                                                                                File size:79'360 bytes
                                                                                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:11
                                                                                                                                                                                Start time:14:35:15
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
                                                                                                                                                                                Imagebase:0x1c0000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:12
                                                                                                                                                                                Start time:14:35:15
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:13
                                                                                                                                                                                Start time:14:35:15
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:tasklist
                                                                                                                                                                                Imagebase:0x7b0000
                                                                                                                                                                                File size:79'360 bytes
                                                                                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:14
                                                                                                                                                                                Start time:14:35:16
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:6'585'704 bytes
                                                                                                                                                                                MD5 hash:8DFECDDDB51D01D40B8FC278AE3C555C
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:15
                                                                                                                                                                                Start time:14:35:17
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-SGJBO.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp" /SL5="$104A6,6322833,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:721'920 bytes
                                                                                                                                                                                MD5 hash:62B4483DC79B5846006C0C644B51FE6C
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:16
                                                                                                                                                                                Start time:14:35:18
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstall
                                                                                                                                                                                Imagebase:0xee0000
                                                                                                                                                                                File size:16'896 bytes
                                                                                                                                                                                MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:17
                                                                                                                                                                                Start time:14:35:18
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" install enable
                                                                                                                                                                                Imagebase:0xee0000
                                                                                                                                                                                File size:16'896 bytes
                                                                                                                                                                                MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:18
                                                                                                                                                                                Start time:14:35:19
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" start
                                                                                                                                                                                Imagebase:0xee0000
                                                                                                                                                                                File size:16'896 bytes
                                                                                                                                                                                MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:19
                                                                                                                                                                                Start time:14:35:19
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe"
                                                                                                                                                                                Imagebase:0xee0000
                                                                                                                                                                                File size:16'896 bytes
                                                                                                                                                                                MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:20
                                                                                                                                                                                Start time:14:35:19
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
                                                                                                                                                                                Imagebase:0x130000
                                                                                                                                                                                File size:12'288 bytes
                                                                                                                                                                                MD5 hash:BA232235CDE212CF4900B84C7BF1CC0E
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:21
                                                                                                                                                                                Start time:14:35:19
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:23
                                                                                                                                                                                Start time:14:35:20
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\system32\net.exe" stop RDMAppweb
                                                                                                                                                                                Imagebase:0x2c0000
                                                                                                                                                                                File size:47'104 bytes
                                                                                                                                                                                MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:24
                                                                                                                                                                                Start time:14:35:20
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:25
                                                                                                                                                                                Start time:14:35:20
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:C:\Windows\system32\net1 stop RDMAppweb
                                                                                                                                                                                Imagebase:0xa00000
                                                                                                                                                                                File size:139'776 bytes
                                                                                                                                                                                MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:26
                                                                                                                                                                                Start time:14:35:21
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
                                                                                                                                                                                Imagebase:0x1c0000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:27
                                                                                                                                                                                Start time:14:35:21
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:28
                                                                                                                                                                                Start time:14:35:21
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:tasklist
                                                                                                                                                                                Imagebase:0x7b0000
                                                                                                                                                                                File size:79'360 bytes
                                                                                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:29
                                                                                                                                                                                Start time:14:35:23
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\vcredist_x86.exe" /q
                                                                                                                                                                                Imagebase:0x1000000
                                                                                                                                                                                File size:5'073'240 bytes
                                                                                                                                                                                MD5 hash:B88228D5FEF4B6DC019D69D4471F23EC
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:30
                                                                                                                                                                                Start time:14:35:25
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\1be23190e4cbe7570e736d15\Setup.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:c:\1be23190e4cbe7570e736d15\Setup.exe /q
                                                                                                                                                                                Imagebase:0x800000
                                                                                                                                                                                File size:78'152 bytes
                                                                                                                                                                                MD5 hash:006F8A615020A4A17F5E63801485DF46
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:31
                                                                                                                                                                                Start time:14:35:29
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                Imagebase:0x7ff7c4a90000
                                                                                                                                                                                File size:69'632 bytes
                                                                                                                                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:32
                                                                                                                                                                                Start time:14:35:34
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:6'482'264 bytes
                                                                                                                                                                                MD5 hash:DBC54A8343ACC3271098DD7F2E5B7345
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:33
                                                                                                                                                                                Start time:14:35:34
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-GNSC0.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$504A4,6221732,66048,C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:729'280 bytes
                                                                                                                                                                                MD5 hash:3E828ACD7AFDC653C0E0CA4F00A876C6
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                • Detection: 3%, ReversingLabs
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:34
                                                                                                                                                                                Start time:14:35:35
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certmgr.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/CertMgr.exe" -add -all -c rdmroot.pem -s -r localmachine Root
                                                                                                                                                                                Imagebase:0x1000000
                                                                                                                                                                                File size:59'664 bytes
                                                                                                                                                                                MD5 hash:5D077A0CDD077C014EEDB768FEB249BA
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:35
                                                                                                                                                                                Start time:14:35:35
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:36
                                                                                                                                                                                Start time:14:35:36
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert""
                                                                                                                                                                                Imagebase:0x1c0000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:37
                                                                                                                                                                                Start time:14:35:36
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:38
                                                                                                                                                                                Start time:14:35:36
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:39
                                                                                                                                                                                Start time:14:35:36
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\certutil.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\." -i "C:\Users\user\AppData\Local\Temp\is-JDE4M.tmp\RdmCert\rdmroot.pem"
                                                                                                                                                                                Imagebase:0x4a0000
                                                                                                                                                                                File size:103'936 bytes
                                                                                                                                                                                MD5 hash:0C6B43C9602F4D5AC9DCF907103447C4
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:41
                                                                                                                                                                                Start time:14:35:38
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll"
                                                                                                                                                                                Imagebase:0x600000
                                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                                MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:42
                                                                                                                                                                                Start time:14:35:38
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\system32\net.exe" stop RDMAppweb
                                                                                                                                                                                Imagebase:0x2c0000
                                                                                                                                                                                File size:47'104 bytes
                                                                                                                                                                                MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:43
                                                                                                                                                                                Start time:14:35:38
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:44
                                                                                                                                                                                Start time:14:35:38
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:C:\Windows\system32\net1 stop RDMAppweb
                                                                                                                                                                                Imagebase:0xa00000
                                                                                                                                                                                File size:139'776 bytes
                                                                                                                                                                                MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:45
                                                                                                                                                                                Start time:14:35:40
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
                                                                                                                                                                                Imagebase:0x1c0000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:46
                                                                                                                                                                                Start time:14:35:40
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:47
                                                                                                                                                                                Start time:14:35:40
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:tasklist
                                                                                                                                                                                Imagebase:0x7b0000
                                                                                                                                                                                File size:79'360 bytes
                                                                                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:48
                                                                                                                                                                                Start time:14:35:41
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" start
                                                                                                                                                                                Imagebase:0xee0000
                                                                                                                                                                                File size:16'896 bytes
                                                                                                                                                                                MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:49
                                                                                                                                                                                Start time:14:35:41
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe"
                                                                                                                                                                                Imagebase:0xee0000
                                                                                                                                                                                File size:16'896 bytes
                                                                                                                                                                                MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:50
                                                                                                                                                                                Start time:14:35:41
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
                                                                                                                                                                                Imagebase:0x130000
                                                                                                                                                                                File size:12'288 bytes
                                                                                                                                                                                MD5 hash:BA232235CDE212CF4900B84C7BF1CC0E
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:51
                                                                                                                                                                                Start time:14:35:42
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:52
                                                                                                                                                                                Start time:14:35:44
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-I4FFI.tmp\processList.txt"
                                                                                                                                                                                Imagebase:0x1c0000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:53
                                                                                                                                                                                Start time:14:35:44
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:54
                                                                                                                                                                                Start time:14:35:44
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:tasklist
                                                                                                                                                                                Imagebase:0x7b0000
                                                                                                                                                                                File size:79'360 bytes
                                                                                                                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:55
                                                                                                                                                                                Start time:14:35:44
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"cmd.exe" /C taskkill /F /IM "RDMAppman.exe" /T
                                                                                                                                                                                Imagebase:0x1c0000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:56
                                                                                                                                                                                Start time:14:35:44
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:57
                                                                                                                                                                                Start time:14:35:44
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:taskkill /F /IM "RDMAppman.exe" /T
                                                                                                                                                                                Imagebase:0xfe0000
                                                                                                                                                                                File size:74'240 bytes
                                                                                                                                                                                MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:58
                                                                                                                                                                                Start time:14:35:45
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\system32\net.exe" start RdmAppweb
                                                                                                                                                                                Imagebase:0x2c0000
                                                                                                                                                                                File size:47'104 bytes
                                                                                                                                                                                MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:59
                                                                                                                                                                                Start time:14:35:45
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:60
                                                                                                                                                                                Start time:14:35:45
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:C:\Windows\system32\net1 start RdmAppweb
                                                                                                                                                                                Imagebase:0x7ff7403e0000
                                                                                                                                                                                File size:139'776 bytes
                                                                                                                                                                                MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:61
                                                                                                                                                                                Start time:14:35:48
                                                                                                                                                                                Start date:31/10/2024
                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_Support_4.0.3.1.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-QMVAB.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:8'080'584 bytes
                                                                                                                                                                                MD5 hash:A1234F8D3A7122BE13679CFA0D9EB3E6
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                Disassembly

                                                                                                                                                                                Reset < >

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:23.8%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                  Signature Coverage:7.9%
                                                                                                                                                                                  Total number of Nodes:1541
                                                                                                                                                                                  Total number of Limit Nodes:23
                                                                                                                                                                                  execution_graph 4981 407a40 SetFilePointer 4982 407a73 4981->4982 4983 407a63 GetLastError 4981->4983 4983->4982 4984 407a6c 4983->4984 4986 407908 GetLastError 4984->4986 4989 407868 4986->4989 4998 407700 FormatMessageA 4989->4998 4992 4078b0 5005 405ce0 4992->5005 4995 4078bf 5009 403198 4995->5009 5000 407726 4998->5000 5013 403278 5000->5013 5002 4055e4 5105 4055f8 5002->5105 5006 405ce7 5005->5006 5007 4031e8 18 API calls 5006->5007 5008 405cff 5007->5008 5008->4995 5010 4031b7 5009->5010 5011 40319e 5009->5011 5010->4982 5011->5010 5233 4025ac 5011->5233 5018 403254 5013->5018 5015 403288 5016 403198 4 API calls 5015->5016 5017 4032a0 5016->5017 5017->4992 5017->5002 5019 403274 5018->5019 5020 403258 5018->5020 5019->5015 5023 402594 5020->5023 5022 403261 5022->5015 5024 402598 5023->5024 5026 4025a2 5023->5026 5029 401fd4 5024->5029 5025 40259e 5025->5026 5040 403154 5025->5040 5026->5022 5026->5026 5030 401fe8 5029->5030 5031 401fed 5029->5031 5048 401918 RtlInitializeCriticalSection 5030->5048 5033 402012 RtlEnterCriticalSection 5031->5033 5034 40201c 5031->5034 5039 401ff1 5031->5039 5033->5034 5034->5039 5055 401ee0 5034->5055 5037 402147 5037->5025 5038 40213d RtlLeaveCriticalSection 5038->5037 5039->5025 5041 403164 5040->5041 5042 40318c TlsGetValue 5040->5042 5041->5026 5043 403196 5042->5043 5044 40316f 5042->5044 5043->5026 5100 40310c 5044->5100 5046 403174 TlsGetValue 5047 403184 5046->5047 5047->5026 5049 40193c RtlEnterCriticalSection 5048->5049 5050 401946 5048->5050 5049->5050 5051 401964 LocalAlloc 5050->5051 5052 40197e 5051->5052 5053 4019c3 RtlLeaveCriticalSection 5052->5053 5054 4019cd 5052->5054 5053->5054 5054->5031 5056 401ef0 5055->5056 5057 401f1c 5056->5057 5060 401f40 5056->5060 5061 401e58 5056->5061 5057->5060 5066 401d00 5057->5066 5060->5037 5060->5038 5070 4016d8 5061->5070 5064 401e75 5064->5056 5067 401d4e 5066->5067 5068 401d1e 5066->5068 5067->5068 5087 401c68 5067->5087 5068->5060 5071 4016f4 5070->5071 5072 401430 LocalAlloc VirtualAlloc VirtualFree 5071->5072 5073 4016fe 5071->5073 5075 40175b 5071->5075 5076 40132c LocalAlloc 5071->5076 5077 40174f 5071->5077 5072->5071 5074 4015c4 VirtualAlloc 5073->5074 5078 40170a 5074->5078 5075->5064 5080 401dcc 5075->5080 5076->5071 5079 40150c VirtualFree 5077->5079 5078->5075 5079->5075 5081 401d80 9 API calls 5080->5081 5082 401de0 5081->5082 5083 40132c LocalAlloc 5082->5083 5084 401df0 5083->5084 5085 401b44 9 API calls 5084->5085 5086 401df8 5084->5086 5085->5086 5086->5064 5088 401c7a 5087->5088 5089 401c9d 5088->5089 5090 401caf 5088->5090 5091 40188c LocalAlloc VirtualFree VirtualFree 5089->5091 5092 40188c LocalAlloc VirtualFree VirtualFree 5090->5092 5093 401cad 5091->5093 5092->5093 5094 401cc5 5093->5094 5095 401b44 9 API calls 5093->5095 5094->5068 5096 401cd4 5095->5096 5097 401cee 5096->5097 5098 401b98 9 API calls 5096->5098 5099 4013a0 LocalAlloc 5097->5099 5098->5097 5099->5094 5101 403120 LocalAlloc 5100->5101 5102 403116 5100->5102 5103 403132 5101->5103 5104 40313e TlsSetValue 5101->5104 5102->5101 5103->5046 5104->5103 5106 405615 5105->5106 5113 4052a8 5106->5113 5109 405641 5111 403278 18 API calls 5109->5111 5112 4055f3 5111->5112 5112->4992 5115 4052c3 5113->5115 5114 4052d5 5114->5109 5118 405034 5114->5118 5115->5114 5121 4053ca 5115->5121 5128 40529c 5115->5128 5225 405d90 5118->5225 5120 405045 5120->5109 5122 4053db 5121->5122 5125 405429 5121->5125 5124 4054af 5122->5124 5122->5125 5127 405447 5124->5127 5135 405288 5124->5135 5125->5127 5131 405244 5125->5131 5127->5115 5127->5127 5129 403198 4 API calls 5128->5129 5130 4052a6 5129->5130 5130->5115 5132 405252 5131->5132 5138 40504c 5132->5138 5134 405280 5134->5125 5164 4039a4 5135->5164 5141 405e00 5138->5141 5140 405065 5140->5134 5142 405e0e 5141->5142 5151 40512c LoadStringA 5142->5151 5145 4055e4 33 API calls 5146 405e46 5145->5146 5154 4031e8 5146->5154 5152 403278 18 API calls 5151->5152 5153 405159 5152->5153 5153->5145 5155 4031ec 5154->5155 5158 4031fc 5154->5158 5157 403254 18 API calls 5155->5157 5155->5158 5156 403228 5160 4031b8 5156->5160 5157->5158 5158->5156 5159 4025ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5158->5159 5159->5156 5162 4031be 5160->5162 5161 4031e3 5161->5140 5162->5161 5163 4025ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5162->5163 5163->5162 5165 4039ab 5164->5165 5170 4038b4 5165->5170 5167 4039cb 5168 403198 4 API calls 5167->5168 5169 4039d2 5168->5169 5169->5127 5171 4038d5 5170->5171 5172 4038c8 5170->5172 5173 403934 5171->5173 5174 4038db 5171->5174 5198 403780 5172->5198 5178 403993 5173->5178 5179 40393b 5173->5179 5176 4038e1 5174->5176 5177 4038ee 5174->5177 5205 403894 5176->5205 5184 403894 6 API calls 5177->5184 5185 4037f4 3 API calls 5178->5185 5180 403941 5179->5180 5181 40394b 5179->5181 5220 403864 5180->5220 5187 4037f4 3 API calls 5181->5187 5182 4038d0 5182->5167 5188 4038fc 5184->5188 5185->5182 5189 40395d 5187->5189 5210 4037f4 5188->5210 5191 403864 23 API calls 5189->5191 5193 403976 5191->5193 5192 403917 5216 40374c 5192->5216 5195 40374c VariantClear 5193->5195 5197 40398b 5195->5197 5196 40392c 5196->5167 5197->5167 5199 4037f0 5198->5199 5200 403744 5198->5200 5199->5182 5200->5198 5201 403793 VariantClear 5200->5201 5202 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5200->5202 5203 4037dc VariantCopyInd 5200->5203 5204 4037ab 5200->5204 5201->5200 5202->5200 5203->5199 5203->5200 5204->5182 5206 4036b8 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5205->5206 5207 4038a0 5206->5207 5208 40374c VariantClear 5207->5208 5209 4038a9 5208->5209 5209->5182 5211 403845 VariantChangeTypeEx 5210->5211 5212 40380a VariantChangeTypeEx 5210->5212 5215 403832 5211->5215 5213 403826 5212->5213 5214 40374c VariantClear 5213->5214 5214->5215 5215->5192 5217 403766 5216->5217 5218 403759 5216->5218 5217->5196 5218->5217 5219 403779 VariantClear 5218->5219 5219->5196 5221 40369c 22 API calls 5220->5221 5222 40387b 5221->5222 5223 40374c VariantClear 5222->5223 5224 403882 5223->5224 5224->5182 5226 405d9c 5225->5226 5227 40512c 19 API calls 5226->5227 5228 405dc2 5227->5228 5229 4031e8 18 API calls 5228->5229 5230 405dcd 5229->5230 5231 403198 4 API calls 5230->5231 5232 405de2 5231->5232 5232->5120 5234 4025ba 5233->5234 5236 4025b0 5233->5236 5234->5010 5235 402632 5235->5235 5236->5234 5236->5235 5237 403154 4 API calls 5236->5237 5237->5235 6682 40af42 6683 40af72 6682->6683 6684 40af7c CreateWindowExA SetWindowLongA 6683->6684 6685 4055e4 33 API calls 6684->6685 6686 40afff 6685->6686 6687 4032fc 18 API calls 6686->6687 6688 40b00d 6687->6688 6689 4032fc 18 API calls 6688->6689 6690 40b01a 6689->6690 6691 406fcc 19 API calls 6690->6691 6692 40b026 6691->6692 6693 4032fc 18 API calls 6692->6693 6694 40b02f 6693->6694 6695 409e8c 43 API calls 6694->6695 6696 40b041 6695->6696 6697 409d6c 19 API calls 6696->6697 6698 40b054 6696->6698 6697->6698 6699 40b08d 6698->6699 6701 409978 9 API calls 6698->6701 6700 40b0a6 6699->6700 6704 40b0a0 RemoveDirectoryA 6699->6704 6702 40b0ba 6700->6702 6703 40b0af DestroyWindow 6700->6703 6701->6699 6705 40b0e2 6702->6705 6706 40357c 4 API calls 6702->6706 6703->6702 6704->6700 6707 40b0d8 6706->6707 6708 4025ac 4 API calls 6707->6708 6708->6705 5357 407b44 WriteFile 5358 407b64 5357->5358 5359 407b6b 5357->5359 5360 407908 35 API calls 5358->5360 5361 407b7c 5359->5361 5362 407868 34 API calls 5359->5362 5360->5359 5362->5361 6709 402b48 RaiseException 6710 40294a 6711 402952 6710->6711 6712 403554 4 API calls 6711->6712 6713 402967 6711->6713 6712->6711 6714 403f4a 6715 403f53 6714->6715 6716 403f5c 6714->6716 6717 403f07 4 API calls 6715->6717 6717->6716 5238 408450 5239 408462 5238->5239 5241 408469 5238->5241 5249 40838c 5239->5249 5242 408491 5241->5242 5243 408493 5241->5243 5247 40849d 5241->5247 5263 4082a8 5242->5263 5260 4081f8 5243->5260 5244 4084ca 5246 4081f8 33 API calls 5246->5244 5247->5244 5247->5246 5250 4083a1 5249->5250 5251 4081f8 33 API calls 5250->5251 5252 4083b0 5250->5252 5251->5252 5253 4083ea 5252->5253 5254 4081f8 33 API calls 5252->5254 5255 4083fe 5253->5255 5256 4081f8 33 API calls 5253->5256 5254->5253 5259 40842a 5255->5259 5270 408334 5255->5270 5256->5255 5259->5241 5273 405d14 5260->5273 5262 40821a 5262->5247 5264 4055e4 33 API calls 5263->5264 5265 4082d3 5264->5265 5281 408260 5265->5281 5267 4082db 5268 403198 4 API calls 5267->5268 5269 4082f0 5268->5269 5269->5247 5271 408343 VirtualFree 5270->5271 5272 408355 VirtualAlloc 5270->5272 5271->5272 5272->5259 5274 405d20 5273->5274 5275 4055e4 33 API calls 5274->5275 5276 405d4d 5275->5276 5277 4031e8 18 API calls 5276->5277 5278 405d58 5277->5278 5279 403198 4 API calls 5278->5279 5280 405d6d 5279->5280 5280->5262 5282 405d14 33 API calls 5281->5282 5283 408282 5282->5283 5283->5267 6321 403a52 6322 403a74 6321->6322 6323 403a5a WriteFile 6321->6323 6323->6322 6324 403a78 GetLastError 6323->6324 6324->6322 6325 402654 6326 403154 4 API calls 6325->6326 6327 402614 6326->6327 6328 402632 6327->6328 6329 403154 4 API calls 6327->6329 6328->6328 6329->6328 5366 40af57 5396 409ae8 GetLastError 5366->5396 5369 40af72 5371 40af7c CreateWindowExA SetWindowLongA 5369->5371 5372 4055e4 33 API calls 5371->5372 5373 40afff 5372->5373 5409 4032fc 5373->5409 5375 40b00d 5376 4032fc 18 API calls 5375->5376 5377 40b01a 5376->5377 5423 406fcc GetCommandLineA 5377->5423 5380 4032fc 18 API calls 5381 40b02f 5380->5381 5430 409e8c 5381->5430 5385 40b054 5386 40b08d 5385->5386 5446 409978 5385->5446 5387 40b0a6 5386->5387 5391 40b0a0 RemoveDirectoryA 5386->5391 5389 40b0ba 5387->5389 5390 40b0af DestroyWindow 5387->5390 5392 40b0e2 5389->5392 5465 40357c 5389->5465 5390->5389 5391->5387 5394 40b0d8 5395 4025ac 4 API calls 5394->5395 5395->5392 5475 4050e4 5396->5475 5399 407700 19 API calls 5400 409b3f 5399->5400 5478 409224 5400->5478 5403 405ce0 18 API calls 5404 409b63 5403->5404 5405 4031b8 4 API calls 5404->5405 5406 409b82 5405->5406 5407 403198 4 API calls 5406->5407 5408 409b8a 5407->5408 5408->5369 5454 402f24 5408->5454 5410 403300 5409->5410 5411 40333f 5409->5411 5412 4031e8 5410->5412 5413 40330a 5410->5413 5411->5375 5419 403254 18 API calls 5412->5419 5420 4031fc 5412->5420 5414 403334 5413->5414 5415 40331d 5413->5415 5417 4034f0 18 API calls 5414->5417 5500 4034f0 5415->5500 5422 403322 5417->5422 5418 403228 5418->5375 5419->5420 5420->5418 5421 4025ac 4 API calls 5420->5421 5421->5418 5422->5375 5513 406f40 5423->5513 5426 4032c4 18 API calls 5427 406ffa 5426->5427 5428 403198 4 API calls 5427->5428 5429 40700f 5428->5429 5429->5380 5527 4033b4 5430->5527 5432 409ec7 5433 409ef9 CreateProcessA 5432->5433 5434 409f05 5433->5434 5435 409f0c CloseHandle 5433->5435 5436 409ae8 35 API calls 5434->5436 5437 409f15 5435->5437 5436->5435 5438 409e60 TranslateMessage DispatchMessageA PeekMessageA 5437->5438 5439 409f1a MsgWaitForMultipleObjects 5438->5439 5439->5437 5440 409f31 5439->5440 5441 409e60 TranslateMessage DispatchMessageA PeekMessageA 5440->5441 5442 409f36 GetExitCodeProcess CloseHandle 5441->5442 5443 409f56 5442->5443 5444 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5443->5444 5445 409f5e 5444->5445 5445->5385 5459 409d6c 5445->5459 5447 4099d2 5446->5447 5449 40998b 5446->5449 5447->5386 5448 409993 Sleep 5448->5449 5449->5447 5449->5448 5450 4099a3 Sleep 5449->5450 5452 4099ba GetLastError 5449->5452 5533 409438 5449->5533 5450->5449 5452->5447 5453 4099c4 GetLastError 5452->5453 5453->5447 5453->5449 5455 403154 4 API calls 5454->5455 5456 402f29 5455->5456 5550 402bcc 5456->5550 5458 402f51 5458->5458 5460 409d74 5459->5460 5464 409dae 5459->5464 5461 403420 18 API calls 5460->5461 5460->5464 5462 409da8 5461->5462 5553 4092fc 5462->5553 5464->5385 5466 403591 5465->5466 5467 4035aa 5465->5467 5466->5467 5472 4035d0 5466->5472 5473 4035b6 5466->5473 5468 4035b1 5467->5468 5469 4035b8 5467->5469 5470 403198 4 API calls 5468->5470 5471 4031b8 4 API calls 5469->5471 5470->5473 5471->5473 5474 40357c 4 API calls 5472->5474 5473->5394 5474->5473 5476 4055f8 33 API calls 5475->5476 5477 405102 5476->5477 5477->5399 5479 409244 5478->5479 5482 4090fc 5479->5482 5483 403198 4 API calls 5482->5483 5493 40912d 5483->5493 5484 409158 5485 4031b8 4 API calls 5484->5485 5487 4091e5 5485->5487 5486 409144 5494 4032c4 5486->5494 5487->5403 5490 403278 18 API calls 5490->5493 5491 4032fc 18 API calls 5491->5484 5492 4032fc 18 API calls 5492->5493 5493->5484 5493->5486 5493->5490 5493->5492 5495 403278 5494->5495 5496 403254 18 API calls 5495->5496 5497 403288 5496->5497 5498 403198 4 API calls 5497->5498 5499 4032a0 5498->5499 5499->5491 5501 4034fd 5500->5501 5508 40352d 5500->5508 5503 403526 5501->5503 5504 403509 5501->5504 5502 403198 4 API calls 5506 403517 5502->5506 5505 403254 18 API calls 5503->5505 5509 4025c4 5504->5509 5505->5508 5506->5422 5508->5502 5510 4025ca 5509->5510 5511 4025dc 5510->5511 5512 403154 4 API calls 5510->5512 5511->5506 5511->5511 5512->5511 5514 406f6c 5513->5514 5515 403278 18 API calls 5514->5515 5516 406f79 5515->5516 5523 403420 5516->5523 5518 406f81 5519 4031e8 18 API calls 5518->5519 5520 406f99 5519->5520 5521 403198 4 API calls 5520->5521 5522 406fbb 5521->5522 5522->5426 5524 403426 5523->5524 5526 403437 5523->5526 5525 403254 18 API calls 5524->5525 5524->5526 5525->5526 5526->5518 5528 4033bc 5527->5528 5529 403254 18 API calls 5528->5529 5530 4033cf 5529->5530 5531 4031e8 18 API calls 5530->5531 5532 4033f7 5531->5532 5541 4093ec 5533->5541 5535 40944e 5536 409452 5535->5536 5537 40946e DeleteFileA GetLastError 5535->5537 5536->5449 5538 40948c 5537->5538 5547 409428 5538->5547 5542 4093f6 5541->5542 5543 4093fa 5541->5543 5542->5535 5544 409403 Wow64DisableWow64FsRedirection 5543->5544 5545 40941c SetLastError 5543->5545 5546 409417 5544->5546 5545->5546 5546->5535 5548 409437 5547->5548 5549 40942d Wow64RevertWow64FsRedirection 5547->5549 5548->5449 5549->5548 5551 402bd5 RaiseException 5550->5551 5552 402be6 5550->5552 5551->5552 5552->5458 5554 40930a 5553->5554 5556 409322 5554->5556 5566 409294 5554->5566 5557 409294 18 API calls 5556->5557 5558 409346 5556->5558 5557->5558 5569 407d94 5558->5569 5561 409374 5563 409294 18 API calls 5561->5563 5564 403278 18 API calls 5561->5564 5565 4093a3 5561->5565 5562 409294 18 API calls 5562->5561 5563->5561 5564->5561 5565->5464 5567 405ce0 18 API calls 5566->5567 5568 4092a5 5567->5568 5568->5556 5572 407d40 5569->5572 5573 407d52 5572->5573 5574 407d63 5572->5574 5575 407d57 InterlockedExchange 5573->5575 5574->5561 5574->5562 5575->5574 6334 402e64 6335 402e69 6334->6335 6336 402e7a RtlUnwind 6335->6336 6337 402e5e 6335->6337 6338 402e9d 6336->6338 6347 407a76 GetFileSize 6348 407aa2 6347->6348 6349 407a92 GetLastError 6347->6349 6349->6348 6350 407a9b 6349->6350 6351 407908 35 API calls 6350->6351 6351->6348 6740 403f7d 6741 403fa2 6740->6741 6742 403f84 6740->6742 6741->6742 6744 403e8e 4 API calls 6741->6744 6743 403f8c 6742->6743 6745 402674 4 API calls 6742->6745 6744->6742 6746 403fca 6745->6746 6018 40ae7e 6019 40aea3 6018->6019 6020 407d94 InterlockedExchange 6019->6020 6021 40aecd 6020->6021 6022 40aedd 6021->6022 6023 409f88 18 API calls 6021->6023 6028 407b28 SetEndOfFile 6022->6028 6023->6022 6025 40aef9 6026 4025ac 4 API calls 6025->6026 6027 40af30 6026->6027 6029 407b38 6028->6029 6030 407b3f 6028->6030 6031 407908 35 API calls 6029->6031 6030->6025 6031->6030 6362 409e00 6363 409e0f 6362->6363 6364 409e22 6362->6364 6363->6364 6365 409e3e CallWindowProcA 6363->6365 6365->6364 5284 403d02 5289 403d12 5284->5289 5285 403ddf ExitProcess 5286 403db8 5300 403cc8 5286->5300 5289->5285 5289->5286 5290 403dea 5289->5290 5293 403da4 5289->5293 5294 403d8f MessageBoxA 5289->5294 5291 403cc8 4 API calls 5292 403dcc 5291->5292 5304 4019dc 5292->5304 5316 403fe4 5293->5316 5294->5286 5297 403dd1 5297->5285 5297->5290 5301 403cd6 5300->5301 5303 403ceb 5301->5303 5320 402674 5301->5320 5303->5291 5305 401abb 5304->5305 5306 4019ed 5304->5306 5305->5297 5307 401a04 RtlEnterCriticalSection 5306->5307 5308 401a0e LocalFree 5306->5308 5307->5308 5309 401a41 5308->5309 5310 401a2f VirtualFree 5309->5310 5311 401a49 5309->5311 5310->5309 5312 401a70 LocalFree 5311->5312 5313 401a87 5311->5313 5312->5312 5312->5313 5314 401aa9 RtlDeleteCriticalSection 5313->5314 5315 401a9f RtlLeaveCriticalSection 5313->5315 5314->5297 5315->5314 5317 403fe8 5316->5317 5323 403f07 5317->5323 5319 404006 5321 403154 4 API calls 5320->5321 5322 40267a 5321->5322 5322->5303 5326 403f09 5323->5326 5325 403f3c 5325->5319 5328 403154 4 API calls 5326->5328 5330 403e9c 5326->5330 5333 403f3d 5326->5333 5346 403e9c 5326->5346 5327 403ecf 5327->5319 5328->5326 5329 403ef2 5332 402674 4 API calls 5329->5332 5330->5325 5330->5329 5335 403ea9 5330->5335 5337 403e8e 5330->5337 5332->5327 5333->5319 5335->5327 5336 402674 4 API calls 5335->5336 5336->5327 5338 403e4c 5337->5338 5339 403e62 5338->5339 5340 403e7b 5338->5340 5343 403e67 5338->5343 5342 403cc8 4 API calls 5339->5342 5341 402674 4 API calls 5340->5341 5344 403e78 5341->5344 5342->5343 5343->5344 5345 402674 4 API calls 5343->5345 5344->5329 5344->5335 5345->5344 5347 403ed7 5346->5347 5352 403ea9 5346->5352 5348 403ef2 5347->5348 5350 403e8e 4 API calls 5347->5350 5351 402674 4 API calls 5348->5351 5349 403ecf 5349->5326 5353 403ee6 5350->5353 5351->5349 5352->5349 5354 402674 4 API calls 5352->5354 5353->5348 5353->5352 5354->5349 6366 404206 6367 4041cc 6366->6367 6370 40420a 6366->6370 6368 404282 6369 403154 4 API calls 6371 404323 6369->6371 6370->6368 6370->6369 6372 402c08 6373 402c82 6372->6373 6376 402c19 6372->6376 6374 402c56 RtlUnwind 6375 403154 4 API calls 6374->6375 6375->6373 6376->6373 6376->6374 6379 402b28 6376->6379 6380 402b31 RaiseException 6379->6380 6381 402b47 6379->6381 6380->6381 6381->6374 6751 40830c 6752 408334 VirtualFree 6751->6752 6753 408319 6752->6753 6390 403018 6391 403070 6390->6391 6392 403025 6390->6392 6393 40302a RtlUnwind 6392->6393 6394 40304e 6393->6394 6396 402f78 6394->6396 6397 402be8 6394->6397 6398 402bf1 RaiseException 6397->6398 6399 402c04 6397->6399 6398->6399 6399->6391 6400 409220 6401 409244 6400->6401 6402 4090fc 18 API calls 6401->6402 6403 40924d 6402->6403 6764 405f24 6765 405f34 6764->6765 6766 405f2c 6764->6766 6767 405f32 6766->6767 6768 405f3b 6766->6768 6771 405e9c 6767->6771 6769 405d90 19 API calls 6768->6769 6769->6765 6772 405ea4 6771->6772 6773 405ebe 6772->6773 6774 403154 4 API calls 6772->6774 6775 405ec3 6773->6775 6776 405eda 6773->6776 6774->6772 6777 405d90 19 API calls 6775->6777 6778 403154 4 API calls 6776->6778 6779 405ed6 6777->6779 6780 405edf 6778->6780 6782 403154 4 API calls 6779->6782 6781 405e00 33 API calls 6780->6781 6781->6779 6783 405f08 6782->6783 6784 403154 4 API calls 6783->6784 6785 405f16 6784->6785 6785->6765 6404 403a28 ReadFile 6405 403a46 6404->6405 6406 403a49 GetLastError 6404->6406 6407 40462b 6408 404638 SetErrorMode 6407->6408 6786 403932 6787 403924 6786->6787 6788 40374c VariantClear 6787->6788 6789 40392c 6788->6789 6790 40b137 6799 409b9c 6790->6799 6793 402f24 5 API calls 6794 40b141 6793->6794 6795 403198 4 API calls 6794->6795 6796 40b160 6795->6796 6797 403198 4 API calls 6796->6797 6798 40b168 6797->6798 6808 405afc 6799->6808 6801 409bb7 6802 409be5 6801->6802 6814 407688 6801->6814 6805 403198 4 API calls 6802->6805 6804 409bd5 6807 409bdd MessageBoxA 6804->6807 6806 409bfa 6805->6806 6806->6793 6806->6794 6807->6802 6809 403154 4 API calls 6808->6809 6810 405b01 6809->6810 6811 405b19 6810->6811 6812 403154 4 API calls 6810->6812 6811->6801 6813 405b0f 6812->6813 6813->6801 6815 405afc 4 API calls 6814->6815 6816 407697 6815->6816 6817 4076ab 6816->6817 6818 40769d 6816->6818 6821 4076c7 6817->6821 6822 4076bb 6817->6822 6819 40322c 4 API calls 6818->6819 6820 4076a9 6819->6820 6820->6804 6832 4032b8 6821->6832 6825 40764c 6822->6825 6826 40322c 4 API calls 6825->6826 6827 40765b 6826->6827 6828 407678 6827->6828 6829 406da0 CharPrevA 6827->6829 6828->6820 6830 407667 6829->6830 6830->6828 6831 4032fc 18 API calls 6830->6831 6831->6828 6833 403278 18 API calls 6832->6833 6834 4032c2 6833->6834 6834->6820 5363 4079c4 5364 4079d0 CloseHandle 5363->5364 5365 4079d9 5363->5365 5364->5365 6419 402ccc 6422 402cfe 6419->6422 6424 402cdd 6419->6424 6420 402d88 RtlUnwind 6421 403154 4 API calls 6420->6421 6421->6422 6423 402b28 RaiseException 6425 402d7f 6423->6425 6424->6420 6424->6422 6424->6423 6425->6420 6426 406acc IsDBCSLeadByte 6427 406ae4 6426->6427 6843 403fcd 6844 403f07 4 API calls 6843->6844 6845 403fd6 6844->6845 6846 403e9c 4 API calls 6845->6846 6847 403fe2 6846->6847 6032 40accf 6033 409f88 18 API calls 6032->6033 6034 40acd4 6033->6034 6035 402f24 5 API calls 6034->6035 6036 40acd9 6035->6036 6069 409ddc 6036->6069 6038 40ad31 6074 4026c4 GetSystemTime 6038->6074 6040 40acde 6040->6038 6110 409254 6040->6110 6041 40ad36 6075 4097d0 6041->6075 6045 40ad0d 6049 40ad15 MessageBoxA 6045->6049 6046 4031e8 18 API calls 6047 40ad4b 6046->6047 6093 406d78 6047->6093 6049->6038 6051 40ad22 6049->6051 6113 405cb4 6051->6113 6055 406a88 19 API calls 6056 40ad79 6055->6056 6057 403340 18 API calls 6056->6057 6058 40ad87 6057->6058 6059 4031e8 18 API calls 6058->6059 6060 40ad97 6059->6060 6061 40795c 37 API calls 6060->6061 6062 40add6 6061->6062 6063 402594 18 API calls 6062->6063 6064 40adf6 6063->6064 6065 407ea4 19 API calls 6064->6065 6066 40ae38 6065->6066 6067 408134 35 API calls 6066->6067 6068 40ae5f 6067->6068 6117 4099dc 6069->6117 6072 409d6c 19 API calls 6073 409dfc 6072->6073 6073->6040 6074->6041 6078 4097f0 6075->6078 6079 409815 CreateDirectoryA 6078->6079 6084 409254 18 API calls 6078->6084 6086 4050e4 33 API calls 6078->6086 6089 407700 19 API calls 6078->6089 6091 409224 18 API calls 6078->6091 6092 405ce0 18 API calls 6078->6092 6173 407170 6078->6173 6196 4096c4 6078->6196 6080 40988d 6079->6080 6081 40981f GetLastError 6079->6081 6082 40322c 4 API calls 6080->6082 6081->6078 6083 409897 6082->6083 6085 4031b8 4 API calls 6083->6085 6084->6078 6087 4098b1 6085->6087 6086->6078 6088 4031b8 4 API calls 6087->6088 6090 4098be 6088->6090 6089->6078 6090->6046 6091->6078 6092->6078 6303 406c70 6093->6303 6096 403454 18 API calls 6097 406d9a 6096->6097 6098 406b10 6097->6098 6308 406d34 6098->6308 6101 406b40 6103 403340 18 API calls 6101->6103 6102 406b4e 6104 403454 18 API calls 6102->6104 6105 406b4c 6103->6105 6106 406b61 6104->6106 6108 403198 4 API calls 6105->6108 6107 403340 18 API calls 6106->6107 6107->6105 6109 406b83 6108->6109 6109->6055 6111 409224 18 API calls 6110->6111 6112 409270 6111->6112 6112->6045 6114 405cb9 6113->6114 6115 405d90 19 API calls 6114->6115 6116 405ccb 6115->6116 6116->6116 6124 4099fb 6117->6124 6118 409a30 6121 409a3d GetUserDefaultLangID 6118->6121 6125 409a32 6118->6125 6119 409a34 6129 4074a0 GetModuleHandleA GetProcAddress 6119->6129 6121->6125 6123 409a0f 6123->6072 6124->6118 6124->6119 6124->6123 6125->6123 6126 409a6b GetACP 6125->6126 6127 409a8f 6125->6127 6126->6123 6126->6125 6127->6123 6128 409ab5 GetACP 6127->6128 6128->6123 6128->6127 6130 4074e3 6129->6130 6131 4074da 6129->6131 6132 407524 6130->6132 6133 4074ec 6130->6133 6141 403198 4 API calls 6131->6141 6135 4073e4 RegOpenKeyExA 6132->6135 6150 4073e4 6133->6150 6137 40753d 6135->6137 6136 407505 6138 40755a 6136->6138 6153 4073d8 6136->6153 6137->6138 6142 4073d8 20 API calls 6137->6142 6139 40322c 4 API calls 6138->6139 6143 407567 6139->6143 6145 40759c 6141->6145 6146 407551 RegCloseKey 6142->6146 6147 4032fc 18 API calls 6143->6147 6148 403198 4 API calls 6145->6148 6146->6138 6147->6131 6149 4075a4 6148->6149 6149->6125 6151 4073f5 RegOpenKeyExA 6150->6151 6152 4073ef 6150->6152 6151->6136 6152->6151 6156 40728c 6153->6156 6157 4072b2 RegQueryValueExA 6156->6157 6158 4072f7 6157->6158 6164 4072d5 6157->6164 6160 403198 4 API calls 6158->6160 6159 4072ef 6161 403198 4 API calls 6159->6161 6162 4073c3 RegCloseKey 6160->6162 6161->6158 6162->6138 6163 403278 18 API calls 6163->6164 6164->6158 6164->6159 6164->6163 6165 403420 18 API calls 6164->6165 6166 40732c RegQueryValueExA 6165->6166 6166->6157 6167 407348 6166->6167 6167->6158 6168 4034f0 18 API calls 6167->6168 6169 40738a 6168->6169 6170 40739c 6169->6170 6172 403420 18 API calls 6169->6172 6171 4031e8 18 API calls 6170->6171 6171->6158 6172->6170 6215 406ea8 6173->6215 6176 4071a2 6177 406ea8 19 API calls 6176->6177 6180 4071ee 6176->6180 6179 4071b2 6177->6179 6181 4071be 6179->6181 6183 406e84 21 API calls 6179->6183 6223 406cd8 6180->6223 6181->6180 6185 406ea8 19 API calls 6181->6185 6193 4071e3 6181->6193 6183->6181 6189 4071d7 6185->6189 6187 406a88 19 API calls 6188 407203 6187->6188 6190 40322c 4 API calls 6188->6190 6191 406e84 21 API calls 6189->6191 6189->6193 6192 40720d 6190->6192 6191->6193 6194 4031b8 4 API calls 6192->6194 6193->6180 6235 407118 GetWindowsDirectoryA 6193->6235 6195 407227 6194->6195 6195->6078 6197 4096e4 6196->6197 6198 406a88 19 API calls 6197->6198 6199 4096fd 6198->6199 6200 40322c 4 API calls 6199->6200 6201 409708 6200->6201 6202 406dc8 20 API calls 6201->6202 6204 4033b4 18 API calls 6201->6204 6205 409254 18 API calls 6201->6205 6207 405ce0 18 API calls 6201->6207 6208 409784 6201->6208 6276 409650 6201->6276 6284 4094b0 6201->6284 6202->6201 6204->6201 6205->6201 6207->6201 6209 40322c 4 API calls 6208->6209 6210 40978f 6209->6210 6211 4031b8 4 API calls 6210->6211 6212 4097a9 6211->6212 6213 403198 4 API calls 6212->6213 6214 4097b1 6213->6214 6214->6078 6216 4034f0 18 API calls 6215->6216 6218 406ebb 6216->6218 6217 406ed2 GetEnvironmentVariableA 6217->6218 6219 406ede 6217->6219 6218->6217 6222 406ee5 6218->6222 6238 407268 6218->6238 6220 403198 4 API calls 6219->6220 6220->6222 6222->6176 6232 406e84 6222->6232 6224 403414 6223->6224 6225 406cfb GetFullPathNameA 6224->6225 6226 406d07 6225->6226 6227 406d1e 6225->6227 6226->6227 6229 406d0f 6226->6229 6228 40322c 4 API calls 6227->6228 6230 406d1c 6228->6230 6231 403278 18 API calls 6229->6231 6230->6187 6231->6230 6242 406e2c 6232->6242 6236 405230 18 API calls 6235->6236 6237 407139 6236->6237 6237->6180 6239 407276 6238->6239 6240 4034f0 18 API calls 6239->6240 6241 407284 6240->6241 6241->6218 6249 406dc8 6242->6249 6244 406e4e 6245 406e56 GetFileAttributesA 6244->6245 6246 406e6b 6245->6246 6247 403198 4 API calls 6246->6247 6248 406e73 6247->6248 6248->6176 6259 406b94 6249->6259 6251 406e00 6254 406e16 6251->6254 6255 406e0b 6251->6255 6253 406dd9 6253->6251 6266 406dc0 CharPrevA 6253->6266 6267 403454 6254->6267 6257 40322c 4 API calls 6255->6257 6258 406e14 6257->6258 6258->6244 6262 406ba5 6259->6262 6260 406c09 6261 406ad0 IsDBCSLeadByte 6260->6261 6264 406c04 6260->6264 6261->6264 6262->6260 6263 406bc3 6262->6263 6263->6264 6274 406ad0 IsDBCSLeadByte 6263->6274 6264->6253 6266->6253 6268 403486 6267->6268 6269 403459 6267->6269 6270 403198 4 API calls 6268->6270 6269->6268 6271 40346d 6269->6271 6273 40347c 6270->6273 6272 403278 18 API calls 6271->6272 6272->6273 6273->6258 6275 406ae4 6274->6275 6275->6263 6277 403198 4 API calls 6276->6277 6279 409671 6277->6279 6281 40969e 6279->6281 6293 4032a8 6279->6293 6296 403494 6279->6296 6282 403198 4 API calls 6281->6282 6283 4096b3 6282->6283 6283->6201 6285 4093ec 2 API calls 6284->6285 6286 4094c6 6285->6286 6287 4094ca 6286->6287 6300 406e98 6286->6300 6287->6201 6290 4094fd 6291 409428 Wow64RevertWow64FsRedirection 6290->6291 6292 409505 6291->6292 6292->6201 6294 403278 18 API calls 6293->6294 6295 4032b5 6294->6295 6295->6279 6297 403498 6296->6297 6299 4034c3 6296->6299 6298 4034f0 18 API calls 6297->6298 6298->6299 6299->6279 6301 406e2c 21 API calls 6300->6301 6302 406ea2 GetLastError 6301->6302 6302->6290 6304 406b94 IsDBCSLeadByte 6303->6304 6306 406c85 6304->6306 6305 406ccf 6305->6096 6306->6305 6307 406ad0 IsDBCSLeadByte 6306->6307 6307->6306 6309 406d43 6308->6309 6310 406c70 IsDBCSLeadByte 6309->6310 6313 406d4e 6310->6313 6311 406b3a 6311->6101 6311->6102 6312 406ad0 IsDBCSLeadByte 6312->6313 6313->6311 6313->6312 6428 4024d0 6429 4024e4 6428->6429 6430 4024e9 6428->6430 6433 401918 4 API calls 6429->6433 6431 402518 6430->6431 6432 40250e RtlEnterCriticalSection 6430->6432 6435 4024ed 6430->6435 6443 402300 6431->6443 6432->6431 6433->6430 6436 402525 6439 402581 6436->6439 6440 402577 RtlLeaveCriticalSection 6436->6440 6438 401fd4 14 API calls 6441 402531 6438->6441 6440->6439 6441->6436 6453 40215c 6441->6453 6444 402314 6443->6444 6445 402335 6444->6445 6451 4023b8 6444->6451 6446 402344 6445->6446 6467 401b74 6445->6467 6446->6436 6446->6438 6450 402455 6450->6446 6452 401d00 9 API calls 6450->6452 6451->6446 6451->6450 6470 401d80 6451->6470 6474 401e84 6451->6474 6452->6446 6454 40217a 6453->6454 6455 402175 6453->6455 6457 4021ab RtlEnterCriticalSection 6454->6457 6459 4021b5 6454->6459 6461 40217e 6454->6461 6456 401918 4 API calls 6455->6456 6456->6454 6457->6459 6458 4021c1 6462 4022e3 RtlLeaveCriticalSection 6458->6462 6463 4022ed 6458->6463 6459->6458 6460 402244 6459->6460 6465 402270 6459->6465 6460->6461 6464 401d80 7 API calls 6460->6464 6461->6436 6462->6463 6463->6436 6464->6461 6465->6458 6466 401d00 7 API calls 6465->6466 6466->6458 6468 40215c 9 API calls 6467->6468 6469 401b95 6468->6469 6469->6446 6471 401d92 6470->6471 6472 401d89 6470->6472 6471->6451 6472->6471 6473 401b74 9 API calls 6472->6473 6473->6471 6479 401768 6474->6479 6476 401e99 6477 401ea6 6476->6477 6478 401dcc 9 API calls 6476->6478 6477->6451 6478->6477 6481 401787 6479->6481 6480 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6480->6481 6481->6480 6482 40183b 6481->6482 6484 40132c LocalAlloc 6481->6484 6485 401821 6481->6485 6486 4017d6 6481->6486 6487 4017e7 6482->6487 6494 4015c4 6482->6494 6484->6481 6488 40150c VirtualFree 6485->6488 6490 40150c 6486->6490 6487->6476 6488->6487 6493 40153b 6490->6493 6491 401594 6491->6487 6492 401568 VirtualFree 6492->6493 6493->6491 6493->6492 6495 40160a 6494->6495 6496 401626 VirtualAlloc 6495->6496 6497 40163a 6495->6497 6496->6495 6496->6497 6497->6487 6498 4028d2 6499 4028da 6498->6499 6501 4028ef 6499->6501 6504 403554 6499->6504 6502 4025ac 4 API calls 6501->6502 6503 4028f4 6502->6503 6505 403566 6504->6505 6507 403578 6505->6507 6508 403604 6505->6508 6507->6499 6509 40357c 6508->6509 6510 4035aa 6509->6510 6515 4035d0 6509->6515 6516 4035b6 6509->6516 6511 4035b1 6510->6511 6512 4035b8 6510->6512 6513 403198 4 API calls 6511->6513 6514 4031b8 4 API calls 6512->6514 6513->6516 6514->6516 6517 40357c 4 API calls 6515->6517 6516->6505 6517->6516 6848 4019d3 6849 4019ba 6848->6849 6850 4019c3 RtlLeaveCriticalSection 6849->6850 6851 4019cd 6849->6851 6850->6851 5576 407ae8 SetFilePointer 5577 407b1f 5576->5577 5578 407b0f GetLastError 5576->5578 5578->5577 5579 407b18 5578->5579 5580 407908 35 API calls 5579->5580 5580->5577 6863 402be9 RaiseException 6864 402c04 6863->6864 6526 40b0ef 6527 40b061 6526->6527 6528 40b08d 6527->6528 6530 409978 9 API calls 6527->6530 6529 40b0a6 6528->6529 6533 40b0a0 RemoveDirectoryA 6528->6533 6531 40b0ba 6529->6531 6532 40b0af DestroyWindow 6529->6532 6530->6528 6534 40b0e2 6531->6534 6535 40357c 4 API calls 6531->6535 6532->6531 6533->6529 6536 40b0d8 6535->6536 6537 4025ac 4 API calls 6536->6537 6537->6534 6538 402af2 6539 402afe 6538->6539 6542 402ed0 6539->6542 6543 403154 4 API calls 6542->6543 6545 402ee0 6543->6545 6544 402b03 6545->6544 6547 402b0c 6545->6547 6548 402b25 6547->6548 6549 402b15 RaiseException 6547->6549 6548->6544 6549->6548 6869 405ff2 6871 405ff4 6869->6871 6870 406030 6874 405d90 19 API calls 6870->6874 6871->6870 6872 406047 6871->6872 6873 40602a 6871->6873 6878 40512c 19 API calls 6872->6878 6873->6870 6875 40609c 6873->6875 6877 406043 6874->6877 6876 405e00 33 API calls 6875->6876 6876->6877 6879 403198 4 API calls 6877->6879 6880 406070 6878->6880 6881 4060d6 6879->6881 6882 405e00 33 API calls 6880->6882 6882->6877 6897 402dfa 6898 402e26 6897->6898 6899 402e0d 6897->6899 6901 402ba4 6899->6901 6902 402bc9 6901->6902 6903 402bad 6901->6903 6902->6898 6904 402bb5 RaiseException 6903->6904 6904->6902 6562 40b0fd 6571 4098e8 6562->6571 6564 40b102 6565 40b128 6564->6565 6566 40b120 MessageBoxA 6564->6566 6567 403198 4 API calls 6565->6567 6566->6565 6568 40b160 6567->6568 6569 403198 4 API calls 6568->6569 6570 40b168 6569->6570 6572 4098f4 GetCurrentProcess OpenProcessToken 6571->6572 6573 40994f ExitWindowsEx 6571->6573 6574 409906 6572->6574 6575 40990a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6572->6575 6573->6574 6574->6564 6575->6573 6575->6574 6905 409dfe 6908 409e00 6905->6908 6906 409e22 6907 409e3e CallWindowProcA 6907->6906 6908->6906 6908->6907 6580 403a80 CloseHandle 6581 403a90 6580->6581 6582 403a91 GetLastError 6580->6582 6583 404283 6584 4042c3 6583->6584 6585 403154 4 API calls 6584->6585 6586 404323 6585->6586 6909 404185 6910 4041ff 6909->6910 6911 4041cc 6910->6911 6912 403154 4 API calls 6910->6912 6913 404323 6912->6913 6587 403e87 6588 403e4c 6587->6588 6589 403e67 6588->6589 6590 403e62 6588->6590 6591 403e7b 6588->6591 6594 403e78 6589->6594 6595 402674 4 API calls 6589->6595 6593 403cc8 4 API calls 6590->6593 6592 402674 4 API calls 6591->6592 6592->6594 6593->6589 6595->6594 5355 407493 5356 407484 SetErrorMode 5355->5356 6605 403a97 6606 403aac 6605->6606 6607 403bbc GetStdHandle 6606->6607 6608 403b0e CreateFileA 6606->6608 6614 403ab2 6606->6614 6609 403c17 GetLastError 6607->6609 6622 403bba 6607->6622 6608->6609 6610 403b2c 6608->6610 6609->6614 6612 403b3b GetFileSize 6610->6612 6610->6622 6612->6609 6615 403b4e SetFilePointer 6612->6615 6613 403be7 GetFileType 6613->6614 6617 403c02 CloseHandle 6613->6617 6615->6609 6618 403b6a ReadFile 6615->6618 6617->6614 6618->6609 6619 403b8c 6618->6619 6620 403b9f SetFilePointer 6619->6620 6619->6622 6620->6609 6621 403bb0 SetEndOfFile 6620->6621 6621->6609 6621->6622 6622->6613 6622->6614 5581 40aa98 5624 4030dc 5581->5624 5583 40aaae 5627 4042e8 5583->5627 5585 40aab3 5630 404654 GetModuleHandleA GetVersion 5585->5630 5589 40aabd 5721 406a18 5589->5721 5591 40aac2 5730 409520 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5591->5730 5598 40ab05 5758 40707c 5598->5758 5602 4031e8 18 API calls 5603 40ab23 5602->5603 5772 40795c 5603->5772 5608 407d94 InterlockedExchange 5612 40ab72 5608->5612 5610 40abb0 5792 40791c 5610->5792 5612->5610 5829 409f88 5612->5829 5613 40abf1 5796 407ea4 5613->5796 5614 40abd6 5614->5613 5615 409f88 18 API calls 5614->5615 5615->5613 5617 40ac16 5806 408f84 5617->5806 5621 40ac5c 5622 408f84 35 API calls 5621->5622 5623 40ac95 5621->5623 5622->5621 5839 403094 5624->5839 5626 4030e1 GetModuleHandleA GetCommandLineA 5626->5583 5628 403154 4 API calls 5627->5628 5629 404323 5627->5629 5628->5629 5629->5585 5631 4046a5 5630->5631 5632 404685 GetProcAddress 5630->5632 5634 4046ad GetProcAddress 5631->5634 5635 4048af GetProcAddress 5631->5635 5632->5631 5633 404696 5632->5633 5633->5631 5638 4046bc 5634->5638 5636 4048c5 GetProcAddress 5635->5636 5637 4048be 5635->5637 5640 4048d4 SetProcessDEPPolicy 5636->5640 5641 4048d8 5636->5641 5637->5636 5840 4045a0 GetSystemDirectoryA 5638->5840 5640->5641 5643 403198 4 API calls 5641->5643 5645 4048ed 5643->5645 5644 4031e8 18 API calls 5646 4046d8 5644->5646 5720 404a74 6F9C1CD0 5645->5720 5646->5635 5647 40470b 5646->5647 5648 4032fc 18 API calls 5646->5648 5843 40322c 5647->5843 5648->5647 5651 4032fc 18 API calls 5652 404726 5651->5652 5847 4045cc SetErrorMode 5652->5847 5655 40322c 4 API calls 5656 40473c 5655->5656 5657 4032fc 18 API calls 5656->5657 5658 404749 5657->5658 5659 4045cc 2 API calls 5658->5659 5660 404751 5659->5660 5661 40322c 4 API calls 5660->5661 5662 40475f 5661->5662 5663 4032fc 18 API calls 5662->5663 5664 40476c 5663->5664 5665 4045cc 2 API calls 5664->5665 5666 404774 5665->5666 5667 40322c 4 API calls 5666->5667 5668 404782 5667->5668 5669 4032fc 18 API calls 5668->5669 5670 40478f 5669->5670 5671 4045cc 2 API calls 5670->5671 5672 404797 5671->5672 5673 40322c 4 API calls 5672->5673 5674 4047a5 5673->5674 5675 4032fc 18 API calls 5674->5675 5676 4047b2 5675->5676 5677 4045cc 2 API calls 5676->5677 5678 4047ba 5677->5678 5679 40322c 4 API calls 5678->5679 5680 4047c8 5679->5680 5681 4032fc 18 API calls 5680->5681 5682 4047d5 5681->5682 5683 4045cc 2 API calls 5682->5683 5684 4047dd 5683->5684 5685 40322c 4 API calls 5684->5685 5686 4047eb 5685->5686 5687 4032fc 18 API calls 5686->5687 5688 4047f8 5687->5688 5689 4045cc 2 API calls 5688->5689 5690 404800 5689->5690 5691 40322c 4 API calls 5690->5691 5692 40480e 5691->5692 5693 4032fc 18 API calls 5692->5693 5694 40481b 5693->5694 5695 4045cc 2 API calls 5694->5695 5696 404823 5695->5696 5697 40322c 4 API calls 5696->5697 5698 404831 5697->5698 5699 4032fc 18 API calls 5698->5699 5700 40483e 5699->5700 5701 4045cc 2 API calls 5700->5701 5702 404846 5701->5702 5703 40322c 4 API calls 5702->5703 5704 404854 5703->5704 5705 4032fc 18 API calls 5704->5705 5706 404861 5705->5706 5707 4045cc 2 API calls 5706->5707 5708 404869 5707->5708 5709 40322c 4 API calls 5708->5709 5710 404877 5709->5710 5711 4032fc 18 API calls 5710->5711 5712 404884 5711->5712 5713 4045cc 2 API calls 5712->5713 5714 40488c 5713->5714 5715 40322c 4 API calls 5714->5715 5716 40489a 5715->5716 5717 4032fc 18 API calls 5716->5717 5718 4048a7 5717->5718 5719 4045cc 2 API calls 5718->5719 5719->5635 5720->5589 5856 4060f8 5721->5856 5731 409575 5730->5731 5936 407144 GetSystemDirectoryA 5731->5936 5735 40959c 5736 4032fc 18 API calls 5735->5736 5737 4095a9 5736->5737 5949 40741c SetErrorMode 5737->5949 5740 407700 19 API calls 5741 4095c3 5740->5741 5742 4031b8 4 API calls 5741->5742 5743 4095dd 5742->5743 5744 40a018 GetSystemInfo VirtualQuery 5743->5744 5745 40a0cc 5744->5745 5748 40a042 5744->5748 5750 409c08 5745->5750 5746 40a0ad VirtualQuery 5746->5745 5746->5748 5747 40a06c VirtualProtect 5747->5748 5748->5745 5748->5746 5748->5747 5749 40a09b VirtualProtect 5748->5749 5749->5746 5977 407020 GetCommandLineA 5750->5977 5752 409cf0 5753 4031b8 4 API calls 5752->5753 5755 409d0a 5753->5755 5754 40707c 20 API calls 5757 409c25 5754->5757 5755->5598 5822 40a128 5755->5822 5756 403454 18 API calls 5756->5757 5757->5752 5757->5754 5757->5756 5759 4070a3 GetModuleFileNameA 5758->5759 5760 4070c7 GetCommandLineA 5758->5760 5761 403278 18 API calls 5759->5761 5767 4070cc 5760->5767 5762 4070c5 5761->5762 5764 4070f4 5762->5764 5763 4070d1 5765 403198 4 API calls 5763->5765 5769 403198 4 API calls 5764->5769 5768 4070d9 5765->5768 5766 406f40 18 API calls 5766->5767 5767->5763 5767->5766 5767->5768 5770 40322c 4 API calls 5768->5770 5771 407109 5769->5771 5770->5764 5771->5602 5773 407966 5772->5773 5984 4079f2 5773->5984 5987 4079f4 5773->5987 5774 407992 5775 4079a6 5774->5775 5776 407908 35 API calls 5774->5776 5779 40a0d4 FindResourceA 5775->5779 5776->5775 5780 40a0e9 5779->5780 5781 40a0ee SizeofResource 5779->5781 5782 409f88 18 API calls 5780->5782 5783 40a100 LoadResource 5781->5783 5784 40a0fb 5781->5784 5782->5781 5786 40a113 LockResource 5783->5786 5787 40a10e 5783->5787 5785 409f88 18 API calls 5784->5785 5785->5783 5789 40a124 5786->5789 5790 40a11f 5786->5790 5788 409f88 18 API calls 5787->5788 5788->5786 5789->5608 5789->5612 5791 409f88 18 API calls 5790->5791 5791->5789 5793 407930 5792->5793 5794 407940 5793->5794 5795 407868 34 API calls 5793->5795 5794->5614 5795->5794 5797 407eb1 5796->5797 5798 405ce0 18 API calls 5797->5798 5799 407f05 5797->5799 5798->5799 5800 407d94 InterlockedExchange 5799->5800 5801 407f17 5800->5801 5802 405ce0 18 API calls 5801->5802 5803 407f2d 5801->5803 5802->5803 5804 407f70 5803->5804 5805 405ce0 18 API calls 5803->5805 5804->5617 5805->5804 5817 408fb5 5806->5817 5820 408ffe 5806->5820 5807 409049 5990 408134 5807->5990 5809 4034f0 18 API calls 5809->5817 5810 409060 5812 4031b8 4 API calls 5810->5812 5811 4034f0 18 API calls 5811->5820 5814 40907a 5812->5814 5813 403420 18 API calls 5813->5817 5836 405070 5814->5836 5815 4031e8 18 API calls 5815->5817 5816 4031e8 18 API calls 5816->5820 5817->5809 5817->5813 5817->5815 5819 408134 35 API calls 5817->5819 5817->5820 5818 403420 18 API calls 5818->5820 5819->5817 5820->5807 5820->5811 5820->5816 5820->5818 5821 408134 35 API calls 5820->5821 5821->5820 5823 40322c 4 API calls 5822->5823 5824 40a14b 5823->5824 5825 40a15a MessageBoxA 5824->5825 5826 40a16f 5825->5826 5827 403198 4 API calls 5826->5827 5828 40a177 5827->5828 5828->5598 5830 409f91 5829->5830 5831 409fa9 5829->5831 5832 405ce0 18 API calls 5830->5832 5833 405ce0 18 API calls 5831->5833 5835 409fa3 5832->5835 5834 409fba 5833->5834 5834->5610 5835->5610 5837 402594 18 API calls 5836->5837 5838 40507b 5837->5838 5838->5621 5839->5626 5851 40458c 5840->5851 5845 403230 5843->5845 5844 403252 5844->5651 5845->5844 5846 4025ac 4 API calls 5845->5846 5846->5844 5854 403414 5847->5854 5850 40461e 5850->5655 5852 4032c4 18 API calls 5851->5852 5853 40459b 5852->5853 5853->5644 5855 403418 LoadLibraryA 5854->5855 5855->5850 5857 405d90 19 API calls 5856->5857 5858 406109 5857->5858 5859 4056d0 GetSystemDefaultLCID 5858->5859 5861 405706 5859->5861 5860 40512c 19 API calls 5860->5861 5861->5860 5862 40565c 19 API calls 5861->5862 5863 4031e8 18 API calls 5861->5863 5865 405768 5861->5865 5862->5861 5863->5861 5864 40512c 19 API calls 5864->5865 5865->5864 5866 40565c 19 API calls 5865->5866 5867 4031e8 18 API calls 5865->5867 5868 4057eb 5865->5868 5866->5865 5867->5865 5869 4031b8 4 API calls 5868->5869 5870 405805 5869->5870 5871 405814 GetSystemDefaultLCID 5870->5871 5928 40565c GetLocaleInfoA 5871->5928 5874 4031e8 18 API calls 5875 405854 5874->5875 5876 40565c 19 API calls 5875->5876 5877 405869 5876->5877 5878 40565c 19 API calls 5877->5878 5879 40588d 5878->5879 5934 4056a8 GetLocaleInfoA 5879->5934 5882 4056a8 GetLocaleInfoA 5883 4058bd 5882->5883 5884 40565c 19 API calls 5883->5884 5885 4058d7 5884->5885 5886 4056a8 GetLocaleInfoA 5885->5886 5887 4058f4 5886->5887 5888 40565c 19 API calls 5887->5888 5889 40590e 5888->5889 5890 4031e8 18 API calls 5889->5890 5891 40591b 5890->5891 5892 40565c 19 API calls 5891->5892 5893 405930 5892->5893 5894 4031e8 18 API calls 5893->5894 5895 40593d 5894->5895 5896 4056a8 GetLocaleInfoA 5895->5896 5897 40594b 5896->5897 5898 40565c 19 API calls 5897->5898 5899 405965 5898->5899 5900 4031e8 18 API calls 5899->5900 5901 405972 5900->5901 5902 40565c 19 API calls 5901->5902 5903 405987 5902->5903 5904 4031e8 18 API calls 5903->5904 5905 405994 5904->5905 5906 40565c 19 API calls 5905->5906 5907 4059a9 5906->5907 5908 4059c6 5907->5908 5909 4059b7 5907->5909 5911 40322c 4 API calls 5908->5911 5910 40322c 4 API calls 5909->5910 5912 4059c4 5910->5912 5911->5912 5913 40565c 19 API calls 5912->5913 5914 4059e8 5913->5914 5915 405a05 5914->5915 5916 4059f6 5914->5916 5918 403198 4 API calls 5915->5918 5917 40322c 4 API calls 5916->5917 5919 405a03 5917->5919 5918->5919 5920 4033b4 18 API calls 5919->5920 5921 405a27 5920->5921 5922 4033b4 18 API calls 5921->5922 5923 405a41 5922->5923 5924 4031b8 4 API calls 5923->5924 5925 405a5b 5924->5925 5926 406144 GetVersionExA 5925->5926 5927 40615b 5926->5927 5927->5591 5929 405683 5928->5929 5930 405695 5928->5930 5931 403278 18 API calls 5929->5931 5932 40322c 4 API calls 5930->5932 5933 405693 5931->5933 5932->5933 5933->5874 5935 4056c4 5934->5935 5935->5882 5953 405230 5936->5953 5939 406a88 5940 406a92 5939->5940 5941 406ab5 5939->5941 5956 406da0 5940->5956 5943 40322c 4 API calls 5941->5943 5944 406abe 5943->5944 5944->5735 5945 406a99 5945->5941 5946 406aa4 5945->5946 5961 403340 5946->5961 5948 406ab2 5948->5735 5950 403414 5949->5950 5951 407454 LoadLibraryA 5950->5951 5952 40746a 5951->5952 5952->5740 5954 4032c4 18 API calls 5953->5954 5955 40523f 5954->5955 5955->5939 5957 406da7 5956->5957 5958 406dab 5956->5958 5957->5945 5976 406dc0 CharPrevA 5958->5976 5960 406dbc 5960->5945 5962 403344 5961->5962 5963 4033a5 5961->5963 5964 4031e8 5962->5964 5965 40334c 5962->5965 5968 403254 18 API calls 5964->5968 5971 4031fc 5964->5971 5965->5963 5966 40335b 5965->5966 5969 4031e8 18 API calls 5965->5969 5970 403254 18 API calls 5966->5970 5967 403228 5967->5948 5968->5971 5969->5966 5973 403375 5970->5973 5971->5967 5972 4025ac 4 API calls 5971->5972 5972->5967 5974 4031e8 18 API calls 5973->5974 5975 4033a1 5974->5975 5975->5948 5976->5960 5978 406f40 18 API calls 5977->5978 5979 407043 5978->5979 5980 406f40 18 API calls 5979->5980 5981 407055 5979->5981 5980->5979 5982 403198 4 API calls 5981->5982 5983 40706a 5982->5983 5983->5757 5985 4079f4 5984->5985 5986 407a33 CreateFileA 5985->5986 5986->5774 5988 403414 5987->5988 5989 407a33 CreateFileA 5988->5989 5989->5774 5991 40814f 5990->5991 5995 408144 5990->5995 5996 4080d8 5991->5996 5994 405ce0 18 API calls 5994->5995 5995->5810 5997 40812b 5996->5997 5998 4080ec 5996->5998 5997->5994 5997->5995 5998->5997 6000 408028 5998->6000 6001 408033 6000->6001 6002 408044 6000->6002 6003 405ce0 18 API calls 6001->6003 6004 40791c 34 API calls 6002->6004 6003->6002 6005 408058 6004->6005 6006 40791c 34 API calls 6005->6006 6007 408079 6006->6007 6008 407d94 InterlockedExchange 6007->6008 6009 40808e 6008->6009 6010 4080a4 6009->6010 6011 405ce0 18 API calls 6009->6011 6010->5998 6011->6010 6623 40949a 6624 40948c 6623->6624 6625 409428 Wow64RevertWow64FsRedirection 6624->6625 6626 409494 6625->6626 6627 40949c SetLastError 6628 4094a5 6627->6628 6012 407aa8 ReadFile 6013 407ac8 6012->6013 6014 407adf 6012->6014 6015 407ad8 6013->6015 6016 407ace GetLastError 6013->6016 6017 407908 35 API calls 6015->6017 6016->6014 6016->6015 6017->6014 6629 402caa 6630 403154 4 API calls 6629->6630 6631 402caf 6630->6631 6932 4075aa 6933 407594 6932->6933 6934 403198 4 API calls 6933->6934 6935 40759c 6934->6935 6936 403198 4 API calls 6935->6936 6937 4075a4 6936->6937 6632 4028ac 6633 402594 18 API calls 6632->6633 6634 4028b6 6633->6634 6938 4093ac 6941 409278 6938->6941 6942 409281 6941->6942 6943 403198 4 API calls 6942->6943 6944 40928f 6942->6944 6943->6942 6945 4055b0 6946 4055c3 6945->6946 6947 4052a8 33 API calls 6946->6947 6948 4055d7 6947->6948 6635 40acb4 6636 40acd9 6635->6636 6637 409ddc 29 API calls 6636->6637 6640 40acde 6637->6640 6638 40ad31 6669 4026c4 GetSystemTime 6638->6669 6640->6638 6643 409254 18 API calls 6640->6643 6641 40ad36 6642 4097d0 46 API calls 6641->6642 6644 40ad3e 6642->6644 6645 40ad0d 6643->6645 6646 4031e8 18 API calls 6644->6646 6649 40ad15 MessageBoxA 6645->6649 6647 40ad4b 6646->6647 6648 406d78 19 API calls 6647->6648 6650 40ad58 6648->6650 6649->6638 6651 40ad22 6649->6651 6652 406b10 19 API calls 6650->6652 6653 405cb4 19 API calls 6651->6653 6654 40ad68 6652->6654 6653->6638 6655 406a88 19 API calls 6654->6655 6656 40ad79 6655->6656 6657 403340 18 API calls 6656->6657 6658 40ad87 6657->6658 6659 4031e8 18 API calls 6658->6659 6660 40ad97 6659->6660 6661 40795c 37 API calls 6660->6661 6662 40add6 6661->6662 6663 402594 18 API calls 6662->6663 6664 40adf6 6663->6664 6665 407ea4 19 API calls 6664->6665 6666 40ae38 6665->6666 6667 408134 35 API calls 6666->6667 6668 40ae5f 6667->6668 6669->6641 6670 401ab9 6671 401a96 6670->6671 6672 401aa9 RtlDeleteCriticalSection 6671->6672 6673 401a9f RtlLeaveCriticalSection 6671->6673 6673->6672

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00404654 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 0040466F
                                                                                                                                                                                  • GetVersion.KERNEL32(kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 00404676
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048B5
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048CB
                                                                                                                                                                                  • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 004048D6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModulePolicyProcessVersion
                                                                                                                                                                                  • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                                                                                                                                  • API String ID: 3297890031-2388063882
                                                                                                                                                                                  • Opcode ID: 6206738d1768993a266272c574535deacfcb651ff371490375f42cd1ba234e07
                                                                                                                                                                                  • Instruction ID: 9e7baa03e94b680687c531d55c537e9110a8ac934c54f9465d7227ec1282235b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6206738d1768993a266272c574535deacfcb651ff371490375f42cd1ba234e07
                                                                                                                                                                                  • Instruction Fuzzy Hash: B2611070600149AFDB00FBF6DA8398E77A99F80309B2045BBA604772D6D778EF059B5D
                                                                                                                                                                                  Function 0040A018 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 230 40a018-40a03c GetSystemInfo VirtualQuery 231 40a042 230->231 232 40a0cc-40a0d3 230->232 233 40a0c1-40a0c6 231->233 233->232 234 40a044-40a04b 233->234 235 40a0ad-40a0bf VirtualQuery 234->235 236 40a04d-40a051 234->236 235->232 235->233 236->235 237 40a053-40a05b 236->237 238 40a06c-40a07d VirtualProtect 237->238 239 40a05d-40a060 237->239 241 40a081-40a083 238->241 242 40a07f 238->242 239->238 240 40a062-40a065 239->240 240->238 243 40a067-40a06a 240->243 244 40a092-40a095 241->244 242->241 243->238 243->241 245 40a085-40a08e call 40a010 244->245 246 40a097-40a099 244->246 245->244 246->235 248 40a09b-40a0a8 VirtualProtect 246->248 248->235
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 0040A02A
                                                                                                                                                                                  • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A035
                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A076
                                                                                                                                                                                  • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0A8
                                                                                                                                                                                  • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0B8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2441996862-0
                                                                                                                                                                                  • Opcode ID: 9ac3e84cebc6f461d525c38fea5a33ab6cb0156132446b09103c7350edb016b4
                                                                                                                                                                                  • Instruction ID: f5309bbdda193f62b4be3c179e768a57e3f3f612c04de257546ab44ee606f1f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ac3e84cebc6f461d525c38fea5a33ab6cb0156132446b09103c7350edb016b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 142190B1240308ABD6309E69CC85F5777D8DF85354F08493AFAC5E33C2D63DE860866A
                                                                                                                                                                                  Function 0040565C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                  • Opcode ID: 7459d56e7c64c485d498697c6eb088ce7aaa21e11ea95b6c07db09bb75ef8263
                                                                                                                                                                                  • Instruction ID: d14b50eaf9df709ed1cf3d56deeb77a2084f63d122e7671578114c6bad5e918b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7459d56e7c64c485d498697c6eb088ce7aaa21e11ea95b6c07db09bb75ef8263
                                                                                                                                                                                  • Instruction Fuzzy Hash: 68E0D87170021427D711A9699C86EFB735CDB58314F4006BFB909E73C6EDB59E8046ED
                                                                                                                                                                                  Function 00409520 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE,?,?,?,?,00000000,00000000,?,0040AACC), ref: 00409542
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409548
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE,?,?,?,?,00000000,00000000,?,0040AACC), ref: 0040955C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409562
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                                                                                  • API String ID: 1646373207-2130885113
                                                                                                                                                                                  • Opcode ID: 9711803e7e97600f978dac47126909fe1692835b2a3da83a2610dda9fb37f9b7
                                                                                                                                                                                  • Instruction ID: 3d1781b746021e9606986d5b6d55f7cbde73f6a932e0ba52378b2443c6d91f24
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9711803e7e97600f978dac47126909fe1692835b2a3da83a2610dda9fb37f9b7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 79115470908244BEDB01FBA2CD43B5A7B68D784744F204477F501762D3DA7D5E08DA2D
                                                                                                                                                                                  Function 0040AF57 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409AE8: GetLastError.KERNEL32(00000000,00409B8B), ref: 00409B0C
                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AF9E
                                                                                                                                                                                  • SetWindowLongA.USER32(000104A6,000000FC,Function_00009E00), ref: 0040AFB5
                                                                                                                                                                                    • Part of subcall function 00406FCC: GetCommandLineA.KERNEL32(00000000,00407010,?,?,?,?,00000000), ref: 00406FE4
                                                                                                                                                                                    • Part of subcall function 00409E8C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
                                                                                                                                                                                    • Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
                                                                                                                                                                                    • Part of subcall function 00409E8C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
                                                                                                                                                                                    • Part of subcall function 00409E8C: GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
                                                                                                                                                                                    • Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44
                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
                                                                                                                                                                                  • DestroyWindow.USER32(000104A6,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
                                                                                                                                                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                                                                                  • API String ID: 849423697-3001827809
                                                                                                                                                                                  • Opcode ID: 08113ef3ce2da518920d8c13058acc363925f6704d668fbfbfd076efd3cb2295
                                                                                                                                                                                  • Instruction ID: d96ad4f456555d006dfdd6a111ba55fa130d32b67bbf9cfe256734ebf9c0f5f1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 08113ef3ce2da518920d8c13058acc363925f6704d668fbfbfd076efd3cb2295
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95413070A006449BD711EBE9EE85B9A77E4EB58304F10427BF514BB2E1C7B89C49CB9C
                                                                                                                                                                                  Function 0040AF42 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AF9E
                                                                                                                                                                                  • SetWindowLongA.USER32(000104A6,000000FC,Function_00009E00), ref: 0040AFB5
                                                                                                                                                                                    • Part of subcall function 00406FCC: GetCommandLineA.KERNEL32(00000000,00407010,?,?,?,?,00000000), ref: 00406FE4
                                                                                                                                                                                    • Part of subcall function 00409E8C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
                                                                                                                                                                                    • Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
                                                                                                                                                                                    • Part of subcall function 00409E8C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
                                                                                                                                                                                    • Part of subcall function 00409E8C: GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
                                                                                                                                                                                    • Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44
                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
                                                                                                                                                                                  • DestroyWindow.USER32(000104A6,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                                                                                                  • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                                                                                  • API String ID: 3586484885-3001827809
                                                                                                                                                                                  • Opcode ID: 3e82f52e343573e9ee8ccf82fbc097b32b2466bbbc9497f93a956efcdcfa5545
                                                                                                                                                                                  • Instruction ID: 22e85acea042a1c9b241f29fbd05952515ad99a43a6683ef4ce3977848861488
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e82f52e343573e9ee8ccf82fbc097b32b2466bbbc9497f93a956efcdcfa5545
                                                                                                                                                                                  • Instruction Fuzzy Hash: 00410971A006049BD710EBE9EE85BAA77A4EB58304F10427AF514BB2E1D7789C48CB9C
                                                                                                                                                                                  Function 00409E8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44
                                                                                                                                                                                    • Part of subcall function 00409AE8: GetLastError.KERNEL32(00000000,00409B8B), ref: 00409B0C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                                                                                                  • String ID: D
                                                                                                                                                                                  • API String ID: 3356880605-2746444292
                                                                                                                                                                                  • Opcode ID: 7df226d52587f770460e981b15b5d19bc6ab37567cde566df4420800d0169a2d
                                                                                                                                                                                  • Instruction ID: c83664c5db2498e28503e3c1fa1a9009394fa647db11d74ebe1f458a85c7f7ae
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7df226d52587f770460e981b15b5d19bc6ab37567cde566df4420800d0169a2d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 19113DB16042096ADB00EBE6CC42F9EB7ACEF89714F50017AB604F72C6DA789D048669
                                                                                                                                                                                  Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 211 4019dc-4019e7 212 401abb-401abd 211->212 213 4019ed-401a02 211->213 214 401a04-401a09 RtlEnterCriticalSection 213->214 215 401a0e-401a2d LocalFree 213->215 214->215 216 401a41-401a47 215->216 217 401a49-401a6e call 4012dc * 3 216->217 218 401a2f-401a3f VirtualFree 216->218 225 401a70-401a85 LocalFree 217->225 226 401a87-401a9d 217->226 218->216 225->225 225->226 228 401aa9-401ab3 RtlDeleteCriticalSection 226->228 229 401a9f-401aa4 RtlLeaveCriticalSection 226->229 229->228
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
                                                                                                                                                                                  • RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3782394904-0
                                                                                                                                                                                  • Opcode ID: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
                                                                                                                                                                                  • Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
                                                                                                                                                                                  • Opcode Fuzzy Hash: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
                                                                                                                                                                                  • Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D
                                                                                                                                                                                  Function 0040ACB4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117windowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD18
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                  • String ID: .tmp$@z@$d~@
                                                                                                                                                                                  • API String ID: 2030045667-2080866987
                                                                                                                                                                                  • Opcode ID: 2b85bf55d00087c4ee4d3d53e5bb2d438756d7f2ac1061807f4f56549d36f6d1
                                                                                                                                                                                  • Instruction ID: dd76c9251985b1ff4450233ddc9785193850427026a6d5c0e90a1b5537d094b7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b85bf55d00087c4ee4d3d53e5bb2d438756d7f2ac1061807f4f56549d36f6d1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B419570A046009FD705EFA5DE91A2A77A5EB59304B11447BF804BB7E1CA79AC04CB9D
                                                                                                                                                                                  Function 0040ACCF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113windowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD18
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                  • String ID: .tmp$@z@$d~@
                                                                                                                                                                                  • API String ID: 2030045667-2080866987
                                                                                                                                                                                  • Opcode ID: 81bdbc4c120031e8217955485f9b4631603aba5f155e491865d52178ba1ca84f
                                                                                                                                                                                  • Instruction ID: bf9d77eae5c07405b3109107b1835c74e23881a639ebcc62aff07684a9841850
                                                                                                                                                                                  • Opcode Fuzzy Hash: 81bdbc4c120031e8217955485f9b4631603aba5f155e491865d52178ba1ca84f
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF419570B006019FD705EFA5DE92A6A77A5EB59304B10447BF804BB7E1CBB9AC04CB9D
                                                                                                                                                                                  Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 345 403d02-403d10 346 403d12-403d19 345->346 347 403d29-403d30 345->347 348 403ddf-403de5 ExitProcess 346->348 349 403d1f 346->349 350 403d32-403d3c 347->350 351 403d3e-403d45 347->351 349->347 352 403d21-403d23 349->352 350->347 353 403d47-403d51 351->353 354 403db8-403dcc call 403cc8 * 2 call 4019dc 351->354 352->347 355 403dea-403e19 call 4030b4 352->355 358 403d56-403d62 353->358 371 403dd1-403dd8 354->371 358->358 361 403d64-403d6e 358->361 362 403d73-403d84 361->362 362->362 365 403d86-403d8d 362->365 367 403da4-403db3 call 403fe4 call 403f67 365->367 368 403d8f-403da2 MessageBoxA 365->368 367->354 368->354 371->355 373 403dda call 4030b4 371->373 373->348
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExitMessageProcess
                                                                                                                                                                                  • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                  • API String ID: 1220098344-2970929446
                                                                                                                                                                                  • Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
                                                                                                                                                                                  • Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E
                                                                                                                                                                                  Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 376 401918-40193a RtlInitializeCriticalSection 377 401946-40197c call 4012dc * 3 LocalAlloc 376->377 378 40193c-401941 RtlEnterCriticalSection 376->378 385 4019ad-4019c1 377->385 386 40197e 377->386 378->377 390 4019c3-4019c8 RtlLeaveCriticalSection 385->390 391 4019cd 385->391 387 401983-401995 386->387 387->387 389 401997-4019a6 387->389 389->385 390->391
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 730355536-0
                                                                                                                                                                                  • Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
                                                                                                                                                                                  • Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
                                                                                                                                                                                  • Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D
                                                                                                                                                                                  Function 004097D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098BF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409816
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,004098BF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040981F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                  • String ID: .tmp
                                                                                                                                                                                  • API String ID: 1375471231-2986845003
                                                                                                                                                                                  • Opcode ID: bcfdd319b68c6234bb3b3c2b6e0791bb6992f3f2d01426f3b13c32e67b0b1ca6
                                                                                                                                                                                  • Instruction ID: 48b9f2fdce89366346d31e95a36bae064327856a755920fc8e2ea7d65379a348
                                                                                                                                                                                  • Opcode Fuzzy Hash: bcfdd319b68c6234bb3b3c2b6e0791bb6992f3f2d01426f3b13c32e67b0b1ca6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23211575A10208ABDB05FFE5C8529DFB7B9EB48304F10457BE901B73C2DA789E05CAA5
                                                                                                                                                                                  Function 00409978 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 487 409978-409989 488 4099d2-4099d7 487->488 489 40998b-40998c 487->489 490 40998e-409991 489->490 491 409993-40999c Sleep 490->491 492 40999e-4099a1 490->492 493 4099ac-4099b1 call 409438 491->493 492->493 494 4099a3-4099a7 Sleep 492->494 496 4099b6-4099b8 493->496 494->493 496->488 497 4099ba-4099c2 GetLastError 496->497 497->488 498 4099c4-4099cc GetLastError 497->498 498->488 499 4099ce-4099d0 498->499 499->488 499->490
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastSleep
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1458359878-0
                                                                                                                                                                                  • Opcode ID: 1c248293a53693e5016b31d34f136ae5d975e0b827204b722e02cf7f87de802c
                                                                                                                                                                                  • Instruction ID: 55ccdd2d2ee1bdbcd31af2ea42c7aee1c1b219f05c386506858fe4dd166fe014
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c248293a53693e5016b31d34f136ae5d975e0b827204b722e02cf7f87de802c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6AF090B2A0511856CA25A6AE9881B6FB28CEAC0368714413FFA44F7383D43DDC0152BA
                                                                                                                                                                                  Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 500 401fd4-401fe6 501 401fe8 call 401918 500->501 502 401ffb-402010 500->502 506 401fed-401fef 501->506 504 402012-402017 RtlEnterCriticalSection 502->504 505 40201c-402025 502->505 504->505 507 402027 505->507 508 40202c-402032 505->508 506->502 509 401ff1-401ff6 506->509 507->508 510 402038-40203c 508->510 511 4020cb-4020d1 508->511 512 40214f-402158 509->512 515 402041-402050 510->515 516 40203e 510->516 513 4020d3-4020e0 511->513 514 40211d-40211f call 401ee0 511->514 517 4020e2-4020ea 513->517 518 4020ef-40211b call 402f54 513->518 524 402124-40213b 514->524 515->511 519 402052-402060 515->519 516->515 517->518 518->512 522 402062-402066 519->522 523 40207c-402080 519->523 528 402068 522->528 529 40206b-40207a 522->529 525 402082 523->525 526 402085-4020a0 523->526 531 402147 524->531 532 40213d-402142 RtlLeaveCriticalSection 524->532 525->526 533 4020a2-4020c6 call 402f54 526->533 528->529 529->533 532->531 533->512
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017
                                                                                                                                                                                    • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                                                                                    • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                                                                                    • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                                                                                    • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 296031713-0
                                                                                                                                                                                  • Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
                                                                                                                                                                                  • Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
                                                                                                                                                                                  • Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48
                                                                                                                                                                                  Function 00409438 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,00000000,00409495), ref: 0040946F
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00409495), ref: 00409477
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2018770650-0
                                                                                                                                                                                  • Opcode ID: cef11d40a142b83803210e371880030b93b56e60c6b6d61991ebac398e5bf5ba
                                                                                                                                                                                  • Instruction ID: 3a2bfa3924d7da3ec485a5c2eebce42195f764b2344cc107bbad9e5710e02f6c
                                                                                                                                                                                  • Opcode Fuzzy Hash: cef11d40a142b83803210e371880030b93b56e60c6b6d61991ebac398e5bf5ba
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3EF0AF71A08608ABCB01EFB59C4159EB3A8EB8831476045BBF808F32C3E6395E018599
                                                                                                                                                                                  Function 0040741C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetErrorMode.KERNEL32(00008000), ref: 00407426
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,00407470,?,00000000,0040748E,?,00008000), ref: 00407455
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLibraryLoadMode
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2987862817-0
                                                                                                                                                                                  • Opcode ID: 7c3291ca482dc4e73124ef6673235b1c1e4da24983ec1cf579c69c8d77eb9c24
                                                                                                                                                                                  • Instruction ID: f52ba4a9feec5d4d4615fe406f45eaba014741ff6d770d8a308f032ff20cb8dd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c3291ca482dc4e73124ef6673235b1c1e4da24983ec1cf579c69c8d77eb9c24
                                                                                                                                                                                  • Instruction Fuzzy Hash: 26F08270A14708BEDB025FB68C5282ABAECE749B1475288B6F900A2AD2E53C5820C569
                                                                                                                                                                                  Function 0040B0EF Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
                                                                                                                                                                                  • DestroyWindow.USER32(000104A6,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5
                                                                                                                                                                                    • Part of subcall function 00409978: Sleep.KERNEL32(?), ref: 00409997
                                                                                                                                                                                    • Part of subcall function 00409978: GetLastError.KERNEL32(?), ref: 004099BA
                                                                                                                                                                                    • Part of subcall function 00409978: GetLastError.KERNEL32(?), ref: 004099C4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2192421792-0
                                                                                                                                                                                  • Opcode ID: 42b787c3d9f5bd55058fd6c8f85d5fac1abeba9ca40111c3c6816528150393fb
                                                                                                                                                                                  • Instruction ID: 80fe6e0f7824975e72fa29ef6d7a10d3d2514edd0f005a574200bdc13b2d30de
                                                                                                                                                                                  • Opcode Fuzzy Hash: 42b787c3d9f5bd55058fd6c8f85d5fac1abeba9ca40111c3c6816528150393fb
                                                                                                                                                                                  • Instruction Fuzzy Hash: C9F0CD70A105009BD725ABA9EE99B2632E5E7A4305F04453AA110BB2F1C7BD9C88CA8D
                                                                                                                                                                                  Function 00407AE8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407B07
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407B0F
                                                                                                                                                                                    • Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,021003AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                  • Opcode ID: 1efacffe01c84972d5e79d9e95937cadebc248d177395cf3b78af7fa5ea4bab0
                                                                                                                                                                                  • Instruction ID: 2b235249b0a7ee07bcb8c1d8603e448d3cb6330bb11491e7c51f1e2a1a123f33
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1efacffe01c84972d5e79d9e95937cadebc248d177395cf3b78af7fa5ea4bab0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 13E092767081005FD610E55DC881A9B33DCDFC53A8F004537B654EB1D1D675B8008366
                                                                                                                                                                                  Function 00407AA8 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407ABF
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407ACE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1948546556-0
                                                                                                                                                                                  • Opcode ID: 62bc4757170e124d293d2e1ae2527044cf5abdc53c736f625f33b9d4ecf98daf
                                                                                                                                                                                  • Instruction ID: e15dfe76c2c2153dd18fa5b66318eead10a3336b01bc7908bb5745e2d55223c8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 62bc4757170e124d293d2e1ae2527044cf5abdc53c736f625f33b9d4ecf98daf
                                                                                                                                                                                  • Instruction Fuzzy Hash: DAE092A17181106EEB20A65E9884F6B67DCCBC9314F04817BF508EB282D6B8DC008777
                                                                                                                                                                                  Function 00407A40 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00407A57
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407A63
                                                                                                                                                                                    • Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,021003AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                  • Opcode ID: 0f363b337b605630cba33b2c75e34e58c088fa0b570b5e63e1fb747f55acf4b7
                                                                                                                                                                                  • Instruction ID: b2e9c79a061d94bc6c1ac4e6a69a759f2ef78579472dc31f5d333ffaff30462c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f363b337b605630cba33b2c75e34e58c088fa0b570b5e63e1fb747f55acf4b7
                                                                                                                                                                                  • Instruction Fuzzy Hash: C7E01AB1A002109EEB20EBB58981B5662D89B44364B048576A654DB2C6D274E800CB66
                                                                                                                                                                                  Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                                                  • Opcode ID: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
                                                                                                                                                                                  • Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
                                                                                                                                                                                  • Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9
                                                                                                                                                                                  Function 004056D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00405806), ref: 004056EF
                                                                                                                                                                                    • Part of subcall function 0040512C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405149
                                                                                                                                                                                    • Part of subcall function 0040565C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1658689577-0
                                                                                                                                                                                  • Opcode ID: cc3e47e390c1b33211b3d9873ad613d49b391b3cefde462b73c2cd7d0ab13d86
                                                                                                                                                                                  • Instruction ID: 82c784cd7830e1ca4cd44457dad2f2fa429cf4e25a926eea24d274db27b93b1b
                                                                                                                                                                                  • Opcode Fuzzy Hash: cc3e47e390c1b33211b3d9873ad613d49b391b3cefde462b73c2cd7d0ab13d86
                                                                                                                                                                                  • Instruction Fuzzy Hash: C1316F75E00509ABCB00EF95CC819EEB379FF84304F508577E819BB285E739AE058B98
                                                                                                                                                                                  Function 004079F2 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A34
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: 5bc26aafbd8d3cc7e99f1b4789c5f450247a7b7967715b9db18694e2d0d8c5c5
                                                                                                                                                                                  • Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bc26aafbd8d3cc7e99f1b4789c5f450247a7b7967715b9db18694e2d0d8c5c5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8
                                                                                                                                                                                  Function 004079F4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A34
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: b99464c5deed90c436ccb8039285842caa459c4cfee6896295820f2cd2136feb
                                                                                                                                                                                  • Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
                                                                                                                                                                                  • Opcode Fuzzy Hash: b99464c5deed90c436ccb8039285842caa459c4cfee6896295820f2cd2136feb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8
                                                                                                                                                                                  Function 00406E2C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00406E74,?,?,?,?,00000000,?,00406E89,004071E3,00000000,00407228,?,?,?), ref: 00406E57
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                  • Opcode ID: 8e258e6088ff2729972a65b025d9916a43b1951ab399dc39633550a2ec6328db
                                                                                                                                                                                  • Instruction ID: 5d103c24ca312c86e291a35865c809fd23e08ae6a8f6832d02acb9ca341f4446
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e258e6088ff2729972a65b025d9916a43b1951ab399dc39633550a2ec6328db
                                                                                                                                                                                  • Instruction Fuzzy Hash: ADE0E530300308BBD301EE72DC42D0ABBACDB89704B920476B400A26C2D5785E108068
                                                                                                                                                                                  Function 00407B44 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B5B
                                                                                                                                                                                    • Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,021003AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 442123175-0
                                                                                                                                                                                  • Opcode ID: 006c08a2f5d9871c0a1980147acda0c26795bf6e192fd3a261290223f417e960
                                                                                                                                                                                  • Instruction ID: 30ae2be02b9f15b9cba2c15a2490e5271afae9e105f225727eb8a6e5b17a7771
                                                                                                                                                                                  • Opcode Fuzzy Hash: 006c08a2f5d9871c0a1980147acda0c26795bf6e192fd3a261290223f417e960
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FE06D727081106BD710A65A98C0E5777ECCF85764F00403BB608DB281C574AC01867A
                                                                                                                                                                                  Function 00407700 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095C3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0040771F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FormatMessage
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1306739567-0
                                                                                                                                                                                  • Opcode ID: b9ec76e9ce0cf7c9b11fbb0d22c3d5372d7ad8be8fd57ca1cb8678c9dba0653c
                                                                                                                                                                                  • Instruction ID: cd8e50964804133df0be52219a4bf40107040f8cbf32d452899ff663d46cfc84
                                                                                                                                                                                  • Opcode Fuzzy Hash: b9ec76e9ce0cf7c9b11fbb0d22c3d5372d7ad8be8fd57ca1cb8678c9dba0653c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CE04FB1B8830126F62519545C87F7B164E47C0B84F64403B7B50EE3D2DABEB94B429F
                                                                                                                                                                                  Function 00407B28 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,0211C000,0040AEF9,00000000), ref: 00407B2F
                                                                                                                                                                                    • Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,021003AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 734332943-0
                                                                                                                                                                                  • Opcode ID: 879c3aef20c26933657ab209da42f9acde188edf801b45e7798529f352953bc6
                                                                                                                                                                                  • Instruction ID: c094c2b5ec81b014f7647aed55f46f5be6f6c9eff784118cc89584b894c57cec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 879c3aef20c26933657ab209da42f9acde188edf801b45e7798529f352953bc6
                                                                                                                                                                                  • Instruction Fuzzy Hash: AFC04CB1B141045BDB00A6AA85C2A1672DC5A482083404076B504DB247D678F8504755
                                                                                                                                                                                  Function 00407477 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetErrorMode.KERNEL32(?,00407495), ref: 00407488
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                  • Opcode ID: 3513d2af45e6240a0d0531d222129c39ee3681c2f506e4d79ab3159715fa7836
                                                                                                                                                                                  • Instruction ID: fee884e8913e26ea2b20a1c4334648daa9a2c142b99fe0c27f31eb53e83e856d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3513d2af45e6240a0d0531d222129c39ee3681c2f506e4d79ab3159715fa7836
                                                                                                                                                                                  • Instruction Fuzzy Hash: C6B09B76A0C2006DE705DEE5645153877D4D7C47103B14877F100D65C1D93C94108519
                                                                                                                                                                                  Function 00407493 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetErrorMode.KERNEL32(?,00407495), ref: 00407488
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                  • Opcode ID: a150b1ccc28004dcf137bb0f7729195edfbe3cd1821f17504bb802deebb031e2
                                                                                                                                                                                  • Instruction ID: c7febe38ef9f985557de65a49c8e3beabd1cb56d23a205183508381f5ecd03fa
                                                                                                                                                                                  • Opcode Fuzzy Hash: a150b1ccc28004dcf137bb0f7729195edfbe3cd1821f17504bb802deebb031e2
                                                                                                                                                                                  • Instruction Fuzzy Hash: EEA022A8C08008BACE00EEE88080A3C33A82A883003C008E23200B2082C03CE000820B
                                                                                                                                                                                  Function 00406DC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CharPrevA.USER32(?,?,00406DBC,?,00406A99,?,?,0040959C,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE), ref: 00406DC2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CharPrev
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 122130370-0
                                                                                                                                                                                  • Opcode ID: d44d7a6884596ca32ea416b380b4e8946229468d7e659b1743621721cd4621d4
                                                                                                                                                                                  • Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
                                                                                                                                                                                  • Opcode Fuzzy Hash: d44d7a6884596ca32ea416b380b4e8946229468d7e659b1743621721cd4621d4
                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                  Function 0040838C Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0040841C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                  • Opcode ID: 4fb7b38294bdf3fcfaab8189c6b2d31175aea6f156bf412ec83bea8fb86574a1
                                                                                                                                                                                  • Instruction ID: 68aadeca7c52aa1374545c41b60170f14cbd4c45bc0c673343149efe9cc76684
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fb7b38294bdf3fcfaab8189c6b2d31175aea6f156bf412ec83bea8fb86574a1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B116D716042059BDB00EF19C981B4B37A4AF84359F04847EF998AF2C7DF78D8058B6A
                                                                                                                                                                                  Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                  • Opcode ID: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
                                                                                                                                                                                  • Instruction ID: d2bd3e7102ef9204b91f8816383c595cec19663beeae75bd92b4ab4675e4226e
                                                                                                                                                                                  • Opcode Fuzzy Hash: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
                                                                                                                                                                                  • Instruction Fuzzy Hash: E401F772A042104BC310AF28DDC092A77D4DB84324F19497ED985B73A1D23B7C0587A8
                                                                                                                                                                                  Function 004079C4 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                  • Opcode ID: b39bb4760bd10523e8477a282be401f25cebef3596302d631dfd489199f81fc2
                                                                                                                                                                                  • Instruction ID: 1333f047c66b0d9688efca9d11da816c999e90cdcd736c06211d3ba452c28d9f
                                                                                                                                                                                  • Opcode Fuzzy Hash: b39bb4760bd10523e8477a282be401f25cebef3596302d631dfd489199f81fc2
                                                                                                                                                                                  • Instruction Fuzzy Hash: B4D0A7D1B00A6007E315F2BF498964B92C85F88655F08843BF685E73D1D67CAC00D38D
                                                                                                                                                                                  Function 00408334 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000,?,00408319), ref: 0040834B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                  • Opcode ID: 230c808500062b5c35cb01985a317edf3050be8cd861299b6b1c2025d975cd45
                                                                                                                                                                                  • Instruction ID: 2902acfab023b9b2f0de86f7a78627cda5d54dfc4b924a21aa22279fbea0049e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 230c808500062b5c35cb01985a317edf3050be8cd861299b6b1c2025d975cd45
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64D002B17553046FDB90EEB94DC5B0237D87B48700F14457A6E44EB2C6F775D8008B14

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 004098E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 004098F7
                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004098FD
                                                                                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409916
                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040993D
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 00409942
                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00409953
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                  • API String ID: 107509674-3733053543
                                                                                                                                                                                  • Opcode ID: 76c26366ab73d400da16d1d616fb3f23b1dfff142f9860e5fbeddd1887b8e56a
                                                                                                                                                                                  • Instruction ID: c716305aa6b255ea0f8bf04b803605974c64d9a32ef9e4c16490a57abd096404
                                                                                                                                                                                  • Opcode Fuzzy Hash: 76c26366ab73d400da16d1d616fb3f23b1dfff142f9860e5fbeddd1887b8e56a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 17F062B0284302B6E610AAB18C07F2722885B81B18F40493EB711F52C3D7BDD904866F
                                                                                                                                                                                  Function 0040A0D4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A0DE
                                                                                                                                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040A0F1
                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132,?,00000000), ref: 0040A103
                                                                                                                                                                                  • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132), ref: 0040A114
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                  • Opcode ID: 5a5895066e8623d9c04d621fb25767811aface55f1ffab09d7e5ea7dbda8e6a9
                                                                                                                                                                                  • Instruction ID: 6e0ad9993521ca4487a6dc9182c9ec88a9d7ecf9898e216691337b01ea42cf55
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a5895066e8623d9c04d621fb25767811aface55f1ffab09d7e5ea7dbda8e6a9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 92E0EA9078970725EAA136E608D6B6B10884BB578EF40113ABB14B92C3DDBC8C14516E
                                                                                                                                                                                  Function 004056A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058AA,?,?,?,00000000,00405A5C), ref: 004056BB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                  • Opcode ID: 6c93c86b5f3b9f7a8269726404ed0fa1fa14f48feaf77c0ba1f6e5dd371dd8fd
                                                                                                                                                                                  • Instruction ID: 0ac2273093169a9723f5a49d7def2a1a0e4efde15c2d8dcba0568209acb81ea7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c93c86b5f3b9f7a8269726404ed0fa1fa14f48feaf77c0ba1f6e5dd371dd8fd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 34D05EA631E6502AE310519B2D85EBB4EACCAC57A4F54483BF64CD7252D2248C069776
                                                                                                                                                                                  Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: SystemTime
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2656138-0
                                                                                                                                                                                  • Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
                                                                                                                                                                                  • Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748
                                                                                                                                                                                  Function 00408888 Relevance: .5, Instructions: 545COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                                                                                                  • Instruction ID: 388b29b0a79f5f19ed4b4953a6a76f47c3e14b9604a8131d453ab3a085cd796f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                                                                                                  • Instruction Fuzzy Hash: BC32E675E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF54
                                                                                                                                                                                  Function 004074A0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075A5,?,00000000,00409DB8), ref: 004074C9
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004074CF
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075A5,?,00000000,00409DB8), ref: 0040751D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                                                                                                  • API String ID: 4190037839-2401316094
                                                                                                                                                                                  • Opcode ID: 7c066b870a361991bc0752fcd93cb8768e255443e349242cb7f15e42003cd7d9
                                                                                                                                                                                  • Instruction ID: b0f7b576ff72b1c2059ac61aa9c71175e867ef76c41006bc9f97b140b7c9741a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c066b870a361991bc0752fcd93cb8768e255443e349242cb7f15e42003cd7d9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 02215470E04209BBDB00EAE5CC55ADE77A8AB44304F508877A900F36C1E77CBA01C75A
                                                                                                                                                                                  Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                                                                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                                                                                                  • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                                                                                                  • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1694776339-0
                                                                                                                                                                                  • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                                                                                  • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                                                                                                  • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                                                                                  • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                                                                                                  Function 00405814 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00405A5C,?,?,?,?,00000000,00000000,00000000,?,00406A3B,00000000,00406A4E), ref: 0040582E
                                                                                                                                                                                    • Part of subcall function 0040565C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A
                                                                                                                                                                                    • Part of subcall function 004056A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058AA,?,?,?,00000000,00405A5C), ref: 004056BB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InfoLocale$DefaultSystem
                                                                                                                                                                                  • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                                                                                  • API String ID: 1044490935-665933166
                                                                                                                                                                                  • Opcode ID: f64dfcc9beea8e06f9a7216c135bb3ef8748e57adf0d60dccc58cc6af9805412
                                                                                                                                                                                  • Instruction ID: 1f8fb3564ea85801462352e9f704d9e8acf1e4fd8595550e023c4eac14c4b858
                                                                                                                                                                                  • Opcode Fuzzy Hash: f64dfcc9beea8e06f9a7216c135bb3ef8748e57adf0d60dccc58cc6af9805412
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B513E34B006486BDB00FAA58C81A8F77A9DB99304F50857BA515BB3C6CA3DDA098F5C
                                                                                                                                                                                  Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 262959230-0
                                                                                                                                                                                  • Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
                                                                                                                                                                                  • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                                                                                                  Function 0040A128 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A15D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Setup, xrefs: 0040A14D
                                                                                                                                                                                  • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A141
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                  • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                                                                                                                  • API String ID: 2030045667-3271211647
                                                                                                                                                                                  • Opcode ID: ff94df1eb2564fec58b9a221cc3fe3b9cf965a2b136f430670f36a0b3f2e2132
                                                                                                                                                                                  • Instruction ID: 9b5d989b58a55d658cadae164e54e3781760331d38193a884cd145b826483737
                                                                                                                                                                                  • Opcode Fuzzy Hash: ff94df1eb2564fec58b9a221cc3fe3b9cf965a2b136f430670f36a0b3f2e2132
                                                                                                                                                                                  • Instruction Fuzzy Hash: 87E065302443087EE312EA629C13F5E7BACE789B54F614477F500B55C1D6795E10D46D
                                                                                                                                                                                  Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,0040AAAE), ref: 004030E3
                                                                                                                                                                                  • GetCommandLineA.KERNEL32(00000000,0040AAAE), ref: 004030EE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000E.00000002.2291651219.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291626109.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291692613.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000E.00000002.2291721324.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CommandHandleLineModule
                                                                                                                                                                                  • String ID: U1hd.@
                                                                                                                                                                                  • API String ID: 2123368496-2904493091
                                                                                                                                                                                  • Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
                                                                                                                                                                                  • Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:14.6%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                  Signature Coverage:4.9%
                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                  Total number of Limit Nodes:106
                                                                                                                                                                                  execution_graph 50058 42f9c0 50059 42f9cb 50058->50059 50060 42f9cf NtdllDefWindowProc_A 50058->50060 50060->50059 50061 40d084 50064 407360 WriteFile 50061->50064 50065 40737d 50064->50065 50066 44b948 50067 44b956 50066->50067 50069 44b975 50066->50069 50067->50069 50070 44b82c 50067->50070 50071 44b85f 50070->50071 50081 414f38 50071->50081 50073 44b872 50075 44b89f GetDC 50073->50075 50104 40357c 50073->50104 50085 41a638 50075->50085 50078 44b8d0 50093 44b560 50078->50093 50080 44b8e4 ReleaseDC 50080->50069 50082 414f46 50081->50082 50118 4034e0 50082->50118 50084 414f53 50084->50073 50086 41a663 50085->50086 50087 41a6ff 50085->50087 50225 403520 50086->50225 50088 403400 4 API calls 50087->50088 50089 41a717 SelectObject 50088->50089 50089->50078 50091 41a6f3 CreateFontIndirectA 50091->50087 50092 41a6bb 50092->50091 50094 44b577 50093->50094 50095 44b60a 50094->50095 50096 44b5f3 50094->50096 50097 44b58a 50094->50097 50095->50080 50098 44b603 DrawTextA 50096->50098 50097->50095 50099 402648 18 API calls 50097->50099 50098->50095 50100 44b59b 50099->50100 50101 44b5b9 MultiByteToWideChar DrawTextW 50100->50101 50102 402660 4 API calls 50101->50102 50103 44b5eb 50102->50103 50103->50080 50105 403580 50104->50105 50106 4035bf 50104->50106 50107 40358a 50105->50107 50110 403450 50105->50110 50106->50075 50108 4035b4 50107->50108 50109 40359d 50107->50109 50113 4038a4 18 API calls 50108->50113 50228 4038a4 50109->50228 50114 4034bc 18 API calls 50110->50114 50115 403464 50110->50115 50112 403490 50112->50075 50117 4035a2 50113->50117 50114->50115 50115->50112 50116 402660 4 API calls 50115->50116 50116->50112 50117->50075 50123 4034bc 50118->50123 50120 4034f0 50128 403400 50120->50128 50124 4034c0 50123->50124 50125 4034dc 50123->50125 50132 402648 50124->50132 50125->50120 50129 403406 50128->50129 50130 40341f 50128->50130 50129->50130 50220 402660 50129->50220 50130->50084 50133 40264c 50132->50133 50136 402656 50132->50136 50138 402088 50133->50138 50134 402652 50134->50136 50149 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50134->50149 50136->50120 50139 40209c 50138->50139 50142 4020a1 50138->50142 50150 4019cc RtlInitializeCriticalSection 50139->50150 50141 4020c6 RtlEnterCriticalSection 50143 4020d0 50141->50143 50142->50141 50142->50143 50146 4020a5 50142->50146 50143->50146 50157 401f94 50143->50157 50146->50134 50147 4021f1 RtlLeaveCriticalSection 50148 4021fb 50147->50148 50148->50134 50149->50136 50151 4019f0 RtlEnterCriticalSection 50150->50151 50152 4019fa 50150->50152 50151->50152 50153 401a18 LocalAlloc 50152->50153 50154 401a32 50153->50154 50155 401a81 50154->50155 50156 401a77 RtlLeaveCriticalSection 50154->50156 50155->50142 50156->50155 50158 401fa4 50157->50158 50159 401ff4 50158->50159 50160 401fd0 50158->50160 50163 401f0c 50158->50163 50159->50147 50159->50148 50160->50159 50168 401db4 50160->50168 50172 40178c 50163->50172 50166 401f29 50166->50158 50169 401dd2 50168->50169 50170 401e02 50168->50170 50169->50159 50170->50169 50194 401d1c 50170->50194 50176 4017a8 50172->50176 50173 4017b2 50191 401678 VirtualAlloc 50173->50191 50176->50173 50177 40180f 50176->50177 50179 401803 50176->50179 50183 4014e4 50176->50183 50192 4013e0 LocalAlloc 50176->50192 50177->50166 50182 401e80 9 API calls 50177->50182 50193 4015c0 VirtualFree 50179->50193 50180 4017be 50180->50177 50182->50166 50184 4014f3 VirtualAlloc 50183->50184 50186 401520 50184->50186 50187 401543 50184->50187 50188 401398 LocalAlloc 50186->50188 50187->50176 50189 40152c 50188->50189 50189->50187 50190 401530 VirtualFree 50189->50190 50190->50187 50191->50180 50192->50176 50193->50177 50195 401d2e 50194->50195 50196 401d51 50195->50196 50197 401d63 50195->50197 50207 401940 50196->50207 50199 401940 3 API calls 50197->50199 50200 401d61 50199->50200 50201 401d79 50200->50201 50217 401bf8 9 API calls 50200->50217 50201->50169 50203 401d88 50204 401da2 50203->50204 50218 401c4c 9 API calls 50203->50218 50219 401454 LocalAlloc 50204->50219 50208 401966 50207->50208 50209 4019bf 50207->50209 50210 40170c VirtualFree 50208->50210 50209->50200 50211 401973 50210->50211 50212 4013e0 LocalAlloc 50211->50212 50213 401983 50212->50213 50214 40199a 50213->50214 50215 4015c0 VirtualFree 50213->50215 50214->50209 50215->50214 50217->50203 50218->50204 50219->50201 50221 402664 50220->50221 50222 40266e 50220->50222 50221->50222 50224 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50221->50224 50222->50130 50222->50222 50224->50222 50226 4034e0 18 API calls 50225->50226 50227 40352a 50226->50227 50227->50092 50229 4038b1 50228->50229 50236 4038e1 50228->50236 50230 4038da 50229->50230 50232 4038bd 50229->50232 50233 4034bc 18 API calls 50230->50233 50231 403400 4 API calls 50234 4038cb 50231->50234 50237 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50232->50237 50233->50236 50234->50117 50236->50231 50237->50234 50238 40d2cc 50239 40d2d4 50238->50239 50240 40d2fe 50239->50240 50241 40d302 50239->50241 50242 40d2f7 50239->50242 50244 40d306 50241->50244 50245 40d318 50241->50245 50251 406298 GlobalHandle GlobalUnlock GlobalFree 50242->50251 50250 40626c GlobalAlloc GlobalLock 50244->50250 50252 40627c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 50245->50252 50248 40d314 50248->50240 50253 40910c 50248->50253 50250->50248 50251->50240 50252->50248 50254 409118 50253->50254 50261 40723c LoadStringA 50254->50261 50259 403400 4 API calls 50260 40915e 50259->50260 50260->50240 50262 4034e0 18 API calls 50261->50262 50263 407269 50262->50263 50264 403450 50263->50264 50265 403454 50264->50265 50266 403464 50264->50266 50265->50266 50268 4034bc 18 API calls 50265->50268 50267 403490 50266->50267 50269 402660 4 API calls 50266->50269 50267->50259 50268->50266 50269->50267 50270 413a8c SetWindowLongA GetWindowLongA 50271 413ae9 SetPropA SetPropA 50270->50271 50272 413acb GetWindowLongA 50270->50272 50276 41f7ec 50271->50276 50272->50271 50273 413ada SetWindowLongA 50272->50273 50273->50271 50281 4156c0 50276->50281 50288 42405c 50276->50288 50382 423ed4 50276->50382 50277 413b39 50284 4156cd 50281->50284 50282 415733 50389 424fdc 13 API calls 50282->50389 50283 415728 50287 415731 50283->50287 50390 4154ac 60 API calls 50283->50390 50284->50282 50284->50283 50284->50287 50287->50277 50289 424092 50288->50289 50304 4240b3 50289->50304 50391 423fb8 50289->50391 50292 42413c 50296 424143 50292->50296 50297 424177 50292->50297 50293 4240dd 50294 4240e3 50293->50294 50295 4241a0 50293->50295 50298 4240e8 50294->50298 50312 424115 50294->50312 50301 4241b2 50295->50301 50302 4241bb 50295->50302 50303 424149 50296->50303 50341 424401 50296->50341 50299 424182 50297->50299 50300 4244ea IsIconic 50297->50300 50308 424246 50298->50308 50309 4240ee 50298->50309 50310 424526 50299->50310 50311 42418b 50299->50311 50300->50304 50305 4244fe GetFocus 50300->50305 50313 4241c8 50301->50313 50314 4241b9 50301->50314 50400 4245e4 11 API calls 50302->50400 50306 424363 SendMessageA 50303->50306 50307 424157 50303->50307 50304->50277 50305->50304 50317 42450f 50305->50317 50306->50304 50307->50304 50339 424110 50307->50339 50360 4243a6 50307->50360 50413 423fd4 NtdllDefWindowProc_A 50308->50413 50318 4240f7 50309->50318 50319 42426e PostMessageA 50309->50319 50435 424ca0 WinHelpA PostMessageA 50310->50435 50322 42453d 50311->50322 50311->50339 50312->50304 50330 42412e 50312->50330 50331 42428f 50312->50331 50401 42462c IsIconic 50313->50401 50409 423fd4 NtdllDefWindowProc_A 50314->50409 50434 41f444 GetCurrentThreadId EnumThreadWindows 50317->50434 50325 424100 50318->50325 50326 4242f5 50318->50326 50419 423fd4 NtdllDefWindowProc_A 50319->50419 50328 424546 50322->50328 50329 42455b 50322->50329 50334 424109 50325->50334 50335 42421e IsIconic 50325->50335 50336 4242fe 50326->50336 50337 42432f 50326->50337 50327 424289 50327->50304 50436 424924 50328->50436 50442 42497c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 50329->50442 50330->50339 50340 42425b 50330->50340 50395 423fd4 NtdllDefWindowProc_A 50331->50395 50333 424516 50333->50304 50345 42451e SetFocus 50333->50345 50334->50339 50346 4241e1 50334->50346 50348 42423a 50335->50348 50349 42422e 50335->50349 50421 423f64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50336->50421 50396 423fd4 NtdllDefWindowProc_A 50337->50396 50339->50304 50399 423fd4 NtdllDefWindowProc_A 50339->50399 50414 4245c8 50340->50414 50341->50304 50356 424427 IsWindowEnabled 50341->50356 50344 424295 50353 4242d3 50344->50353 50354 4242b1 50344->50354 50345->50304 50346->50304 50410 42309c ShowWindow PostMessageA PostQuitMessage 50346->50410 50412 423fd4 NtdllDefWindowProc_A 50348->50412 50411 424010 29 API calls 50349->50411 50362 423ed4 6 API calls 50353->50362 50420 423f64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50354->50420 50355 424306 50364 424318 50355->50364 50422 41f3a8 50355->50422 50356->50304 50365 424435 50356->50365 50359 424335 50366 42434d 50359->50366 50397 41f2f4 GetCurrentThreadId EnumThreadWindows 50359->50397 50360->50304 50367 4243c8 IsWindowEnabled 50360->50367 50369 4242db PostMessageA 50362->50369 50428 423fd4 NtdllDefWindowProc_A 50364->50428 50375 42443c IsWindowVisible 50365->50375 50373 423ed4 6 API calls 50366->50373 50367->50304 50374 4243d6 50367->50374 50368 4242b9 PostMessageA 50368->50304 50369->50304 50373->50304 50429 412760 21 API calls 50374->50429 50375->50304 50377 42444a GetFocus 50375->50377 50430 418630 50377->50430 50379 42445f SetFocus 50432 415690 50379->50432 50383 423f5d 50382->50383 50384 423ee4 50382->50384 50383->50277 50384->50383 50385 423eea EnumWindows 50384->50385 50385->50383 50386 423f06 GetWindow GetWindowLongA 50385->50386 50544 423e6c GetWindow 50385->50544 50387 423f25 50386->50387 50387->50383 50388 423f51 SetWindowPos 50387->50388 50388->50383 50388->50387 50389->50287 50390->50287 50392 423fc2 50391->50392 50393 423fcd 50391->50393 50392->50393 50443 408b70 GetSystemDefaultLCID 50392->50443 50393->50292 50393->50293 50395->50344 50396->50359 50398 41f379 50397->50398 50398->50366 50399->50304 50400->50304 50402 42463d SetActiveWindow 50401->50402 50407 424673 50401->50407 50516 423a9c 50402->50516 50406 42465a 50406->50407 50408 42466d SetFocus 50406->50408 50407->50304 50408->50407 50409->50304 50410->50304 50411->50304 50412->50304 50413->50304 50529 41df80 50414->50529 50417 4245e0 50417->50304 50418 4245d4 LoadIconA 50418->50417 50419->50327 50420->50368 50421->50355 50423 41f3b0 IsWindow 50422->50423 50424 41f3dc 50422->50424 50425 41f3ca 50423->50425 50426 41f3bf EnableWindow 50423->50426 50424->50364 50425->50423 50425->50424 50427 402660 4 API calls 50425->50427 50426->50425 50427->50425 50428->50304 50429->50304 50431 41863a 50430->50431 50431->50379 50433 4156ab SetFocus 50432->50433 50433->50304 50434->50333 50435->50327 50437 424930 50436->50437 50439 42494a 50436->50439 50438 424937 SendMessageA 50437->50438 50441 42495f 50437->50441 50438->50441 50440 402648 18 API calls 50439->50440 50440->50441 50441->50304 50442->50327 50498 4089b8 GetLocaleInfoA 50443->50498 50446 403450 18 API calls 50447 408bb0 50446->50447 50448 4089b8 19 API calls 50447->50448 50449 408bc5 50448->50449 50450 4089b8 19 API calls 50449->50450 50451 408be9 50450->50451 50504 408a04 GetLocaleInfoA 50451->50504 50454 408a04 GetLocaleInfoA 50455 408c19 50454->50455 50456 4089b8 19 API calls 50455->50456 50457 408c33 50456->50457 50458 408a04 GetLocaleInfoA 50457->50458 50459 408c50 50458->50459 50460 4089b8 19 API calls 50459->50460 50461 408c6a 50460->50461 50462 403450 18 API calls 50461->50462 50499 4089f1 50498->50499 50500 4089df 50498->50500 50502 403494 4 API calls 50499->50502 50501 4034e0 18 API calls 50500->50501 50503 4089ef 50501->50503 50502->50503 50503->50446 50505 408a20 50504->50505 50505->50454 50525 423a48 SystemParametersInfoA 50516->50525 50519 423ab5 ShowWindow 50521 423ac0 50519->50521 50522 423ac7 50519->50522 50528 423a78 SystemParametersInfoA 50521->50528 50524 423f64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50522->50524 50524->50406 50526 423a66 50525->50526 50526->50519 50527 423a78 SystemParametersInfoA 50526->50527 50527->50519 50528->50522 50532 41dfa4 50529->50532 50533 41df8a 50532->50533 50534 41dfb1 50532->50534 50533->50417 50533->50418 50534->50533 50541 40ced0 19 API calls 50534->50541 50536 41dfce 50536->50533 50537 41dfe8 50536->50537 50538 41dfdb 50536->50538 50542 41c1dc 25 API calls 50537->50542 50543 41b7d8 19 API calls 50538->50543 50541->50536 50542->50533 50543->50533 50545 423e8d GetWindowLongA 50544->50545 50546 423e99 50544->50546 50545->50546 50547 450994 50548 450a8c 50547->50548 50549 4509bf GetVersion 50547->50549 50574 403420 50548->50574 50549->50548 50550 4509d2 50549->50550 50561 450964 GetSystemDirectoryA 50550->50561 50556 4509e5 50557 40357c 18 API calls 50556->50557 50558 4509f2 50557->50558 50559 4509fa LoadLibraryA 50558->50559 50559->50548 50560 450a0e 6 API calls 50559->50560 50560->50548 50578 407934 50561->50578 50564 42c84c 50565 42c856 50564->50565 50566 42c879 50564->50566 50587 42cdcc CharPrevA 50565->50587 50568 403494 4 API calls 50566->50568 50569 42c882 50568->50569 50569->50556 50570 42c85d 50570->50566 50571 42c868 50570->50571 50588 4035c0 50571->50588 50573 42c876 50573->50556 50576 403426 50574->50576 50575 40344b 50576->50575 50577 402660 4 API calls 50576->50577 50577->50576 50581 40352c 50578->50581 50582 4034e0 50581->50582 50583 4034bc 18 API calls 50582->50583 50584 4034f0 50583->50584 50585 403400 4 API calls 50584->50585 50586 403508 50585->50586 50586->50564 50587->50570 50589 4035c4 50588->50589 50590 403625 50588->50590 50591 403450 50589->50591 50592 4035cc 50589->50592 50593 403464 50591->50593 50595 4034bc 18 API calls 50591->50595 50592->50590 50596 403450 18 API calls 50592->50596 50598 4035db 50592->50598 50594 403490 50593->50594 50599 402660 4 API calls 50593->50599 50594->50573 50595->50593 50596->50598 50597 4034bc 18 API calls 50600 4035f5 50597->50600 50598->50597 50599->50594 50601 403450 18 API calls 50600->50601 50602 403621 50601->50602 50602->50573 50603 47e054 50604 47e05f 50603->50604 50606 47e075 GetLastError 50604->50606 50607 47e0a0 50604->50607 50611 45304c 50604->50611 50606->50607 50608 47e07f GetLastError 50606->50608 50608->50607 50609 47e089 GetTickCount 50608->50609 50609->50607 50610 47e097 Sleep 50609->50610 50610->50604 50618 452e68 50611->50618 50613 453062 50614 453066 50613->50614 50615 453082 DeleteFileA GetLastError 50613->50615 50614->50604 50624 452ea4 50615->50624 50619 452e76 50618->50619 50620 452e72 50618->50620 50621 452e7f Wow64DisableWow64FsRedirection 50619->50621 50622 452e98 SetLastError 50619->50622 50620->50613 50623 452e93 50621->50623 50622->50623 50623->50613 50625 452eb3 50624->50625 50626 452ea9 Wow64RevertWow64FsRedirection 50624->50626 50625->50604 50626->50625 50627 416f92 50628 41703a 50627->50628 50629 416faa 50627->50629 50646 41576c 18 API calls 50628->50646 50631 416fc4 SendMessageA 50629->50631 50632 416fb8 50629->50632 50642 417018 50631->50642 50633 416fc2 CallWindowProcA 50632->50633 50634 416fde 50632->50634 50633->50642 50643 41a4a8 GetSysColor 50634->50643 50637 416fe9 SetTextColor 50638 416ffe 50637->50638 50644 41a4a8 GetSysColor 50638->50644 50640 417003 SetBkColor 50645 41ab30 GetSysColor CreateBrushIndirect 50640->50645 50643->50637 50644->50640 50645->50642 50646->50642 50647 416a94 50648 416aa1 50647->50648 50649 416afb 50647->50649 50654 4169a0 CreateWindowExA 50648->50654 50650 416aa8 SetPropA SetPropA 50650->50649 50651 416adb 50650->50651 50652 416aee SetWindowPos 50651->50652 50652->50649 50654->50650 50655 450390 50656 4503b5 50655->50656 50657 450448 50655->50657 50658 450402 50656->50658 50676 450360 GetSystemDirectoryA 50656->50676 50659 403420 4 API calls 50657->50659 50658->50657 50661 45040b 50658->50661 50660 450468 50659->50660 50663 450360 19 API calls 50661->50663 50665 45041d 50663->50665 50667 42c84c 19 API calls 50665->50667 50666 42c84c 19 API calls 50668 4503e2 50666->50668 50670 450428 50667->50670 50669 40357c 18 API calls 50668->50669 50671 4503ef 50669->50671 50672 40357c 18 API calls 50670->50672 50674 4503f7 LoadLibraryA 50671->50674 50673 450435 50672->50673 50675 45043d LoadLibraryA 50673->50675 50674->50658 50675->50657 50677 407934 18 API calls 50676->50677 50678 45038a 50677->50678 50678->50666 50679 49339c 50680 4933d6 50679->50680 50681 4933d8 50680->50681 50682 4933e2 50680->50682 50878 4094e8 MessageBeep 50681->50878 50684 49341a 50682->50684 50685 4933f1 50682->50685 50692 493429 50684->50692 50693 493452 50684->50693 50687 447498 32 API calls 50685->50687 50686 403420 4 API calls 50688 493a2e 50686->50688 50689 4933fe 50687->50689 50690 403400 4 API calls 50688->50690 50879 407000 50689->50879 50694 493a36 50690->50694 50696 447498 32 API calls 50692->50696 50699 49348a 50693->50699 50700 493461 50693->50700 50698 493436 50696->50698 50892 407050 18 API calls 50698->50892 50707 493499 50699->50707 50708 4934b2 50699->50708 50702 447498 32 API calls 50700->50702 50705 49346e 50702->50705 50703 493441 50704 4477ec 19 API calls 50703->50704 50827 4933dd 50704->50827 50893 407084 18 API calls 50705->50893 50894 4076d0 19 API calls 50707->50894 50714 4934c1 50708->50714 50715 4934e6 50708->50715 50710 493479 50712 4477ec 19 API calls 50710->50712 50711 4934a1 50713 4477ec 19 API calls 50711->50713 50712->50827 50713->50827 50716 447498 32 API calls 50714->50716 50718 49351e 50715->50718 50719 4934f5 50715->50719 50717 4934ce 50716->50717 50895 4076f8 50717->50895 50726 49352d 50718->50726 50727 493556 50718->50727 50721 447498 32 API calls 50719->50721 50723 493502 50721->50723 50722 4934d6 50898 447570 50722->50898 50907 42cc54 50723->50907 50729 447498 32 API calls 50726->50729 50732 4935a2 50727->50732 50733 493565 50727->50733 50731 49353a 50729->50731 50730 4477ec 19 API calls 50730->50827 50916 407648 22 API calls 50731->50916 50739 4935da 50732->50739 50740 4935b1 50732->50740 50735 447498 32 API calls 50733->50735 50738 493574 50735->50738 50736 493545 50737 4477ec 19 API calls 50736->50737 50737->50827 50741 447498 32 API calls 50738->50741 50747 4935e9 50739->50747 50748 493612 50739->50748 50742 447498 32 API calls 50740->50742 50743 493585 50741->50743 50744 4935be 50742->50744 50917 4930a0 22 API calls 50743->50917 50918 42ccf4 50744->50918 50751 447498 32 API calls 50747->50751 50755 49364a 50748->50755 50756 493621 50748->50756 50749 493591 50752 4477ec 19 API calls 50749->50752 50754 4935f6 50751->50754 50752->50827 50753 4477ec 19 API calls 50753->50827 50923 42cd1c 50754->50923 50763 493659 50755->50763 50764 493682 50755->50764 50758 447498 32 API calls 50756->50758 50761 49362e 50758->50761 50760 4477ec 19 API calls 50760->50827 50931 42cd4c 19 API calls 50761->50931 50765 447498 32 API calls 50763->50765 50770 4936ba 50764->50770 50771 493691 50764->50771 50767 493666 50765->50767 50766 493639 50768 4477ec 19 API calls 50766->50768 50932 42cd7c 50767->50932 50768->50827 50776 4936c9 50770->50776 50777 493706 50770->50777 50773 447498 32 API calls 50771->50773 50775 49369e 50773->50775 50774 4477ec 19 API calls 50774->50827 50937 42cda4 50775->50937 50779 447498 32 API calls 50776->50779 50784 493758 50777->50784 50785 493715 50777->50785 50781 4936d8 50779->50781 50783 447498 32 API calls 50781->50783 50782 4477ec 19 API calls 50782->50827 50787 4936e9 50783->50787 50792 4937cb 50784->50792 50793 493767 50784->50793 50786 447498 32 API calls 50785->50786 50788 493728 50786->50788 50942 42c948 19 API calls 50787->50942 50790 447498 32 API calls 50788->50790 50794 493739 50790->50794 50791 4936f5 50795 4477ec 19 API calls 50791->50795 50800 49380a 50792->50800 50801 4937da 50792->50801 50866 447498 50793->50866 50943 493298 26 API calls 50794->50943 50795->50827 50799 493747 50803 4477ec 19 API calls 50799->50803 50811 493849 50800->50811 50812 493819 50800->50812 50804 447498 32 API calls 50801->50804 50803->50827 50808 4937e7 50804->50808 50809 45304c 5 API calls 50808->50809 50814 4937f4 50809->50814 50820 493858 50811->50820 50828 493888 50811->50828 50816 447498 32 API calls 50812->50816 50817 447570 19 API calls 50814->50817 50819 493826 50816->50819 50817->50827 50944 452eb4 50819->50944 50823 447498 32 API calls 50820->50823 50826 493865 50823->50826 50825 493833 50951 453554 50826->50951 50827->50686 50831 4938d0 50828->50831 50832 493897 50828->50832 50837 493918 50831->50837 50838 4938df 50831->50838 50834 447498 32 API calls 50832->50834 50836 4938a6 50834->50836 50839 447498 32 API calls 50836->50839 50843 49392b 50837->50843 50850 4939e1 50837->50850 50840 447498 32 API calls 50838->50840 50841 4938b7 50839->50841 50842 4938ee 50840->50842 50958 447718 19 API calls 50841->50958 50844 447498 32 API calls 50842->50844 50846 447498 32 API calls 50843->50846 50847 4938ff 50844->50847 50848 493958 50846->50848 50849 447498 32 API calls 50848->50849 50850->50827 50962 44743c 50850->50962 50867 4474a0 50866->50867 50970 436518 50867->50970 50869 4474bf 50870 42ca58 21 API calls 50869->50870 50878->50827 50880 40700f 50879->50880 50881 407031 50880->50881 50882 407028 50880->50882 50998 403778 50881->50998 50883 403400 4 API calls 50882->50883 50884 40702f 50883->50884 50886 4477ec 50884->50886 50887 4477f4 50886->50887 51005 436a00 50887->51005 50891 44782e 50891->50827 50892->50703 50893->50710 50894->50711 51014 403738 50895->51014 50899 447578 50898->50899 50900 4475a2 50899->50900 50901 44758f 50899->50901 51017 4365fc VariantClear 50900->51017 51016 4365fc VariantClear 50901->51016 50904 4475a0 50905 4475ca 50904->50905 51018 40905c 18 API calls 50904->51018 50905->50827 50908 403738 50907->50908 50909 42cc77 GetFullPathNameA 50908->50909 50910 42cc83 50909->50910 50911 42cc9a 50909->50911 50910->50911 50912 42cc8b 50910->50912 50913 403494 4 API calls 50911->50913 50914 4034e0 18 API calls 50912->50914 50915 42cc98 50913->50915 50914->50915 50915->50730 50916->50736 50917->50749 51019 42cbec 50918->51019 50921 403778 18 API calls 50922 42cd15 50921->50922 50922->50753 51034 42cac4 50923->51034 50926 42cd30 50928 403400 4 API calls 50926->50928 50927 42cd39 50929 403778 18 API calls 50927->50929 50930 42cd37 50928->50930 50929->50930 50930->50760 50931->50766 50933 42cbec IsDBCSLeadByte 50932->50933 50934 42cd8c 50933->50934 50935 403778 18 API calls 50934->50935 50936 42cd9e 50935->50936 50936->50774 50938 42cbec IsDBCSLeadByte 50937->50938 50939 42cdb4 50938->50939 50940 403778 18 API calls 50939->50940 50941 42cdc5 50940->50941 50941->50782 50942->50791 50943->50799 50945 452e68 2 API calls 50944->50945 50946 452eca 50945->50946 50947 452ece 50946->50947 50948 452eec CreateDirectoryA GetLastError 50946->50948 50947->50825 50949 452ea4 Wow64RevertWow64FsRedirection 50948->50949 50952 452e68 2 API calls 50951->50952 50953 45356a 50952->50953 50954 45356e 50953->50954 50955 45358a RemoveDirectoryA GetLastError 50953->50955 50958->50827 50963 447440 50962->50963 51037 43643c 50963->51037 50971 436524 50970->50971 50972 436546 50970->50972 50971->50972 50992 40905c 18 API calls 50971->50992 50973 4365c9 50972->50973 50975 4365b1 50972->50975 50976 4365a5 50972->50976 50977 436599 50972->50977 50978 43658d 50972->50978 50979 4365bd 50972->50979 50997 40905c 18 API calls 50973->50997 50983 403494 4 API calls 50975->50983 50982 40352c 18 API calls 50976->50982 50981 403510 18 API calls 50977->50981 50993 403510 50978->50993 50996 4040e8 32 API calls 50979->50996 50987 4365a2 50981->50987 50988 4365ae 50982->50988 50989 4365ba 50983->50989 50986 4365da 50986->50869 50987->50869 50988->50869 50989->50869 50990 4365c6 50990->50869 50992->50972 50994 4034e0 18 API calls 50993->50994 50995 40351d 50994->50995 50995->50869 50996->50990 50997->50986 50999 4037aa 50998->50999 51000 40377d 50998->51000 51001 403400 4 API calls 50999->51001 51000->50999 51003 403791 51000->51003 51002 4037a0 51001->51002 51002->50884 51004 4034e0 18 API calls 51003->51004 51004->51002 51008 436a10 51005->51008 51009 436a14 51005->51009 51006 436a42 51006->51009 51013 4041f8 19 API calls 51006->51013 51007 436a48 51010 403450 18 API calls 51007->51010 51008->51006 51008->51007 51008->51009 51009->50891 51012 40905c 18 API calls 51009->51012 51010->51009 51012->50891 51013->51009 51015 40373c SetCurrentDirectoryA 51014->51015 51015->50722 51016->50904 51017->50904 51018->50905 51024 42cacc 51019->51024 51021 42cc4b 51021->50921 51022 42cc01 51022->51021 51031 42c894 IsDBCSLeadByte 51022->51031 51025 42cadd 51024->51025 51026 42cb41 51025->51026 51030 42cafb 51025->51030 51028 42cb3c 51026->51028 51033 42c894 IsDBCSLeadByte 51026->51033 51028->51022 51030->51028 51032 42c894 IsDBCSLeadByte 51030->51032 51031->51022 51032->51030 51033->51028 51035 42cacc IsDBCSLeadByte 51034->51035 51036 42cacb 51035->51036 51036->50926 51036->50927 51051 46c7d0 51052 46ca59 51051->51052 51053 46c804 51051->51053 51054 403400 4 API calls 51052->51054 51055 46c840 51053->51055 51056 46c89c 51053->51056 51057 46c87a 51053->51057 51058 46c88b 51053->51058 51059 46c858 51053->51059 51060 46c869 51053->51060 51062 46ccac 51054->51062 51055->51052 51106 4698f8 51055->51106 51367 46c760 60 API calls 51056->51367 51365 46c390 70 API calls 51057->51365 51366 46c550 82 API calls 51058->51366 51363 46c0e0 62 API calls 51059->51363 51364 46c248 57 API calls 51060->51364 51067 403400 4 API calls 51062->51067 51070 46ccb4 51067->51070 51069 46c85e 51069->51052 51069->51055 51071 46c8d8 51071->51052 51082 46c91b 51071->51082 51368 496688 51071->51368 51074 46ca3e 51117 484978 51074->51117 51075 414f38 18 API calls 51075->51082 51078 42d010 20 API calls 51078->51082 51079 46bbec 37 API calls 51079->51082 51082->51052 51082->51074 51082->51075 51082->51078 51082->51079 51083 46ca97 51082->51083 51085 403450 18 API calls 51082->51085 51097 46cb5f 51082->51097 51109 469834 51082->51109 51142 46b958 51082->51142 51291 484470 51082->51291 51403 46be9c 33 API calls 51082->51403 51149 46aba0 51083->51149 51084 46bbec 37 API calls 51084->51052 51085->51082 51087 46cafd 51088 403450 18 API calls 51087->51088 51089 46cb0d 51088->51089 51090 46cb69 51089->51090 51091 46cb19 51089->51091 51095 46cc2b 51090->51095 51210 46bbec 51090->51210 51387 458718 51091->51387 51097->51084 51107 469834 33 API calls 51106->51107 51108 469907 51107->51108 51108->51071 51112 469863 51109->51112 51114 4698a4 51112->51114 51404 407d44 51112->51404 51115 403400 4 API calls 51114->51115 51116 4698bc 51115->51116 51116->51082 51118 418630 51117->51118 51119 4849af GetForegroundWindow 51118->51119 51120 4849ba SetActiveWindow 51119->51120 51121 4849c8 51119->51121 51120->51121 51122 4849df 51121->51122 51124 4849e9 51121->51124 51424 484874 120 API calls 51122->51424 51126 484a15 51124->51126 51129 484aaa 51124->51129 51130 484a74 51124->51130 51125 4849e4 51450 4838a0 51125->51450 51126->51125 51429 45850c 51126->51429 51132 46748c 34 API calls 51129->51132 51425 46748c 51130->51425 51139 484aa8 51132->51139 51138 484b28 51140 403420 4 API calls 51138->51140 51428 4802d4 57 API calls 51139->51428 51141 484b42 51140->51141 51141->51052 51143 46b969 51142->51143 51145 46b964 51142->51145 51687 46a704 60 API calls 51143->51687 51144 46b967 51144->51082 51145->51144 51602 46b3c4 51145->51602 51148 46b971 51148->51082 51150 403400 4 API calls 51149->51150 51151 46abce 51150->51151 52055 47f004 51151->52055 51153 46ac31 51154 46ac35 51153->51154 51155 46ac4e 51153->51155 51156 46748c 34 API calls 51154->51156 51157 46ac3f 51155->51157 52062 496578 18 API calls 51155->52062 51156->51157 51160 46ad6d 51157->51160 51161 46add8 51157->51161 51209 46aee2 51157->51209 51159 46ac6a 51159->51157 51163 46ac72 51159->51163 51164 403494 4 API calls 51160->51164 51165 403494 4 API calls 51161->51165 51162 403420 4 API calls 51166 46af0c 51162->51166 51167 46bbec 37 API calls 51163->51167 51168 46ad7a 51164->51168 51169 46ade5 51165->51169 51166->51087 51176 46ac7f 51167->51176 51170 40357c 18 API calls 51168->51170 51171 40357c 18 API calls 51169->51171 51172 46ad87 51170->51172 51173 46adf2 51171->51173 51174 40357c 18 API calls 51172->51174 51175 40357c 18 API calls 51173->51175 51177 46ad94 51174->51177 51178 46adff 51175->51178 51183 46acc0 51176->51183 51184 46aca8 SetActiveWindow 51176->51184 51180 40357c 18 API calls 51177->51180 51179 40357c 18 API calls 51178->51179 51182 46ae0c 51179->51182 51181 46ada1 51180->51181 51185 46748c 34 API calls 51181->51185 51186 40357c 18 API calls 51182->51186 52063 42fa00 51183->52063 51184->51183 51187 46adaf 51185->51187 51188 46ae1a 51186->51188 51189 40357c 18 API calls 51187->51189 51190 414f68 18 API calls 51188->51190 51209->51162 51211 4698f8 33 API calls 51210->51211 51212 46bc17 51211->51212 51213 46bc39 51212->51213 51214 465f58 21 API calls 51212->51214 52277 465f58 51213->52277 51214->51213 52353 46d0e4 51291->52353 51294 4844bc 51296 414f38 18 API calls 51294->51296 51297 4844cc 51296->51297 51298 403450 18 API calls 51297->51298 51363->51069 51364->51055 51365->51055 51366->51055 51367->51055 51369 43de68 18 API calls 51368->51369 51370 4966a9 51369->51370 51371 49673a 51370->51371 51372 4966b4 51370->51372 51373 496749 51371->51373 54404 495eb0 18 API calls 51371->54404 51374 432070 18 API calls 51372->51374 51373->51082 51376 4966c0 51374->51376 51377 4960e0 18 API calls 51376->51377 51378 4966e1 51377->51378 54396 4961f8 51378->54396 51381 43da34 32 API calls 51382 4966fe 51381->51382 54402 495f44 18 API calls 51382->54402 51384 496712 54403 434270 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51384->54403 51386 496732 51386->51082 51388 45873d 51387->51388 51389 407d44 33 API calls 51388->51389 51390 45875d 51388->51390 51391 458755 51389->51391 51392 403400 4 API calls 51390->51392 51393 45850c 38 API calls 51391->51393 51394 458772 51392->51394 51393->51390 51403->51082 51408 407d58 51404->51408 51407 453aac 18 API calls 51407->51114 51409 407d75 51408->51409 51416 407a08 51409->51416 51412 407da1 51414 4034e0 18 API calls 51412->51414 51415 407d53 51414->51415 51415->51407 51419 407a23 51416->51419 51417 407a35 51417->51412 51421 406df0 19 API calls 51417->51421 51419->51417 51422 407b2a 33 API calls 51419->51422 51423 4079fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51419->51423 51421->51412 51422->51419 51423->51419 51424->51125 51455 4673a0 51425->51455 51428->51126 51430 458538 51429->51430 51446 458640 51429->51446 51503 458208 GetSystemTimeAsFileTime FileTimeToSystemTime 51430->51503 51431 458691 51434 403400 4 API calls 51431->51434 51436 4586a6 51434->51436 51435 458540 51437 407d44 33 API calls 51435->51437 51436->51125 51438 4585b1 51437->51438 51504 4584fc 34 API calls 51438->51504 51440 458636 51506 4584fc 34 API calls 51440->51506 51441 458607 51441->51440 51447 403778 18 API calls 51441->51447 51442 403778 18 API calls 51444 4585b9 51442->51444 51444->51441 51444->51442 51445 4584fc 34 API calls 51444->51445 51445->51444 51446->51431 51507 457d78 20 API calls 51446->51507 51448 45862e 51447->51448 51505 4584fc 34 API calls 51448->51505 51451 4838f1 51450->51451 51452 4838c3 51450->51452 51454 483058 PostMessageA 51451->51454 51508 4965d4 51452->51508 51454->51138 51456 403494 4 API calls 51455->51456 51457 4673ce 51456->51457 51472 42e018 51457->51472 51460 42e018 19 API calls 51461 4673f2 51460->51461 51475 46728c 51461->51475 51464 42e018 19 API calls 51483 42df60 51472->51483 51476 4672a6 51475->51476 51477 407d44 33 API calls 51476->51477 51478 4672e1 51477->51478 51478->51464 51484 42df80 51483->51484 51485 42e00b 51483->51485 51484->51485 51489 4037b8 51484->51489 51494 403800 51484->51494 51498 42c894 IsDBCSLeadByte 51484->51498 51485->51460 51499 403744 51489->51499 51491 4037c6 51492 4037fc 51491->51492 51493 4038a4 18 API calls 51491->51493 51492->51484 51493->51492 51495 40382f 51494->51495 51496 403804 51494->51496 51495->51484 51497 4038a4 18 API calls 51496->51497 51497->51495 51498->51484 51500 40374a 51499->51500 51502 40375b 51499->51502 51501 4034bc 18 API calls 51500->51501 51500->51502 51501->51502 51502->51491 51503->51435 51504->51444 51505->51440 51506->51446 51507->51431 51523 43de68 51508->51523 51511 49666d 51513 49667d 51511->51513 51554 495eb0 18 API calls 51511->51554 51512 4965fd 51528 432070 51512->51528 51513->51451 51555 43238c 51523->51555 51525 403400 4 API calls 51526 43df16 51525->51526 51526->51511 51526->51512 51527 43de92 51527->51525 51554->51513 51556 403494 4 API calls 51555->51556 51558 43239b 51556->51558 51557 4323c5 51557->51527 51558->51557 51559 403744 18 API calls 51558->51559 51559->51558 51604 46b40b 51602->51604 51603 46b883 51605 46b89e 51603->51605 51606 46b8cf 51603->51606 51604->51603 51607 46b4c6 51604->51607 51609 403494 4 API calls 51604->51609 51608 403494 4 API calls 51605->51608 51610 403494 4 API calls 51606->51610 51611 46b4e7 51607->51611 51612 46b528 51607->51612 51614 46b8ac 51608->51614 51615 46b44a 51609->51615 51616 46b8dd 51610->51616 51613 403494 4 API calls 51611->51613 51620 403400 4 API calls 51612->51620 51617 46b4f5 51613->51617 51708 469de0 26 API calls 51614->51708 51619 414f38 18 API calls 51615->51619 51709 469de0 26 API calls 51616->51709 51622 414f38 18 API calls 51617->51622 51623 46b46b 51619->51623 51624 46b526 51620->51624 51626 46b516 51622->51626 51627 403634 18 API calls 51623->51627 51633 46b60c 51624->51633 51688 46a4ec 51624->51688 51625 46b8ba 51628 403400 4 API calls 51625->51628 51629 403634 18 API calls 51626->51629 51630 46b47b 51627->51630 51632 46b900 51628->51632 51629->51624 51635 414f38 18 API calls 51630->51635 51638 403400 4 API calls 51632->51638 51634 46b694 51633->51634 51648 46b653 51633->51648 51636 403400 4 API calls 51634->51636 51640 46b48f 51635->51640 51669 46b692 51636->51669 51637 46b548 51641 46b586 51637->51641 51642 46b54e 51637->51642 51639 46b908 51638->51639 51643 403420 4 API calls 51639->51643 51640->51607 51650 414f38 18 API calls 51640->51650 51644 403400 4 API calls 51641->51644 51645 403494 4 API calls 51642->51645 51647 46b915 51643->51647 51649 46b584 51644->51649 51646 46b55c 51645->51646 51694 47d578 51646->51694 51647->51144 51653 403494 4 API calls 51648->51653 51697 46a7e0 51649->51697 51654 46b4b6 51650->51654 51657 46b661 51653->51657 51658 403634 18 API calls 51654->51658 51655 46b6bd 51664 46b71e 51655->51664 51665 46b6c8 51655->51665 51660 414f38 18 API calls 51657->51660 51658->51607 51662 46b682 51660->51662 51666 403634 18 API calls 51662->51666 51667 403400 4 API calls 51664->51667 51668 403494 4 API calls 51665->51668 51666->51669 51670 46b726 51667->51670 51677 46b6d6 51668->51677 51703 46a928 57 API calls 51669->51703 51675 46b71c 51670->51675 51686 46b7cf 51670->51686 51675->51670 51704 496578 18 API calls 51675->51704 51677->51670 51677->51675 51681 403634 18 API calls 51677->51681 51678 46b749 51678->51686 51705 496824 32 API calls 51678->51705 51681->51677 51684 46b870 51707 429594 SendMessageA SendMessageA 51684->51707 51706 429544 SendMessageA 51686->51706 51687->51148 51710 42a490 SendMessageA 51688->51710 51690 46a4fb 51691 46a51b 51690->51691 51711 42a490 SendMessageA 51690->51711 51691->51637 51693 46a50b 51693->51637 51712 47d5c0 51694->51712 51702 46a80d 51697->51702 51698 46a86f 51699 403400 4 API calls 51698->51699 51700 46a884 51699->51700 51702->51698 52054 46a764 57 API calls 51702->52054 51703->51655 51704->51678 51705->51686 51706->51684 51707->51603 51708->51625 51709->51625 51710->51690 51711->51693 51713 403494 4 API calls 51712->51713 51720 47d5f3 51713->51720 51714 47d705 51718 403778 18 API calls 51718->51720 51720->51714 51720->51718 51721 403800 18 API calls 51720->51721 51723 4037b8 18 API calls 51720->51723 51724 47c40c 51720->51724 51968 453aac 18 API calls 51720->51968 51969 42cdcc CharPrevA 51720->51969 51721->51720 51723->51720 51968->51720 51969->51720 52054->51702 52056 47f05a 52055->52056 52057 47f01d 52055->52057 52056->51153 52089 4564a8 52057->52089 52061 47f071 52061->51153 52062->51159 52064 42fa0c 52063->52064 52065 42fa2f GetActiveWindow GetFocus 52064->52065 52066 41f2f4 2 API calls 52065->52066 52067 42fa46 52066->52067 52068 42fa63 52067->52068 52069 42fa53 RegisterClassA 52067->52069 52070 42faf2 SetFocus 52068->52070 52071 42fa71 CreateWindowExA 52068->52071 52069->52068 52071->52070 52090 4564b9 52089->52090 52091 4564c6 52090->52091 52092 4564bd 52090->52092 52122 45628c 43 API calls 52091->52122 52114 4561ac 52092->52114 52095 4564c3 52095->52056 52096 47ec74 52095->52096 52104 47ecb4 52096->52104 52106 47ed70 52096->52106 52097 47ed13 52098 403420 4 API calls 52097->52098 52099 47ee53 52098->52099 52099->52061 52103 47d578 57 API calls 52103->52106 52104->52097 52105 47d578 57 API calls 52104->52105 52104->52106 52110 47ed1c 52104->52110 52153 47a9e8 52104->52153 52168 47ab64 18 API calls 52104->52168 52105->52104 52106->52097 52106->52103 52108 454868 34 API calls 52106->52108 52170 47a8a8 52106->52170 52107 47d578 57 API calls 52107->52110 52108->52106 52109 42cd7c 19 API calls 52109->52110 52110->52104 52110->52107 52110->52109 52111 42cda4 19 API calls 52110->52111 52113 47ed5d 52110->52113 52169 47e980 66 API calls 52110->52169 52111->52110 52113->52097 52123 42e26c 52114->52123 52116 4561c9 52117 456217 52116->52117 52126 4560e0 52116->52126 52117->52095 52122->52095 52124 42e277 52123->52124 52125 42e27d RegOpenKeyExA 52123->52125 52124->52125 52125->52116 52133 42e1a8 52126->52133 52131 456108 52136 42e050 52133->52136 52137 42e076 RegQueryValueExA 52136->52137 52138 42e0bb 52137->52138 52143 42e099 52137->52143 52139 403400 4 API calls 52138->52139 52141 42e187 52139->52141 52140 42e0b3 52142 403400 4 API calls 52140->52142 52141->52131 52142->52138 52143->52138 52143->52140 52144 4034e0 18 API calls 52143->52144 52145 403744 18 API calls 52143->52145 52144->52143 52146 42e0f0 RegQueryValueExA 52145->52146 52146->52137 52147 42e10c 52146->52147 52147->52138 52154 47a9fe 52153->52154 52155 47a9fa 52153->52155 52156 403450 18 API calls 52154->52156 52155->52104 52157 47aa0b 52156->52157 52158 403450 18 API calls 52157->52158 52159 47aa17 52158->52159 52160 47aa37 52159->52160 52161 47aa1d 52159->52161 52162 47a8a8 33 API calls 52160->52162 52163 47a8a8 33 API calls 52161->52163 52168->52104 52169->52110 52171 47a8c3 52170->52171 52172 47a982 52171->52172 52175 47a8f4 52171->52175 52188 47a75c 33 API calls 52171->52188 52172->52106 52174 47a919 52178 47a93a 52174->52178 52190 47a75c 33 API calls 52174->52190 52175->52174 52189 47a75c 33 API calls 52175->52189 52178->52172 52179 47a97a 52178->52179 52191 453aac 18 API calls 52178->52191 52182 47a5e0 52179->52182 52183 47a61b 52182->52183 52188->52175 52189->52174 52190->52178 52191->52179 52575 46d17c 52353->52575 52569 409030 19 API calls 52576 414f38 18 API calls 52575->52576 52577 46d1b0 52576->52577 52636 467524 52577->52636 52580 414f68 18 API calls 52581 46d1c2 52580->52581 52582 46d1d1 52581->52582 52587 46d1ea 52581->52587 52665 4802d4 57 API calls 52582->52665 52584 46d1e5 52585 403420 4 API calls 52584->52585 52586 46d10e 52585->52586 52586->51294 52586->52569 52588 46d231 52587->52588 52590 46d218 52587->52590 52589 46d296 52588->52589 52603 46d235 52588->52603 52668 42cf9c CharNextA 52589->52668 52666 4802d4 57 API calls 52590->52666 52593 46d2a5 52594 46d2a9 52593->52594 52598 46d2c2 52593->52598 52669 4802d4 57 API calls 52594->52669 52596 46d27d 52667 4802d4 57 API calls 52596->52667 52597 46d2e6 52670 4802d4 57 API calls 52597->52670 52598->52597 52645 467694 52598->52645 52603->52596 52603->52598 52641 46753e 52636->52641 52638 42d010 20 API calls 52638->52641 52639 403450 18 API calls 52639->52641 52640 407000 18 API calls 52640->52641 52641->52638 52641->52639 52641->52640 52642 467587 52641->52642 52681 42cefc 52641->52681 52643 403420 4 API calls 52642->52643 52644 4675a1 52643->52644 52644->52580 52646 46769e 52645->52646 52647 4676b1 52646->52647 52692 42cf8c CharNextA 52646->52692 52647->52597 52649 4676c4 52647->52649 52650 4676ce 52649->52650 52665->52584 52666->52584 52667->52584 52668->52593 52669->52584 52670->52584 52682 403494 4 API calls 52681->52682 52683 42cf0c 52682->52683 52684 403744 18 API calls 52683->52684 52688 42cf42 52683->52688 52690 42c894 IsDBCSLeadByte 52683->52690 52684->52683 52686 42cf86 52686->52641 52688->52686 52689 4037b8 18 API calls 52688->52689 52691 42c894 IsDBCSLeadByte 52688->52691 52689->52688 52690->52683 52691->52688 52692->52646 54397 496214 54396->54397 54405 43420c 54397->54405 54399 496219 54400 432140 18 API calls 54399->54400 54401 496224 54400->54401 54401->51381 54402->51384 54403->51386 54404->51373 54406 402648 18 API calls 54405->54406 54407 43421b 54406->54407 54407->54399 54409 49a490 54467 403344 54409->54467 54411 49a49e 54470 4056a0 54411->54470 54413 49a4a3 54473 4063f4 GetModuleHandleA GetVersion 54413->54473 54417 49a4ad 54564 409d9c 54417->54564 54901 4032fc 54467->54901 54469 403349 GetModuleHandleA GetCommandLineA 54469->54411 54472 4056db 54470->54472 54902 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54470->54902 54472->54413 54474 406445 54473->54474 54475 406425 GetProcAddress 54473->54475 54477 40644d GetProcAddress 54474->54477 54478 40664f GetProcAddress 54474->54478 54475->54474 54476 406436 54475->54476 54476->54474 54481 40645c 54477->54481 54479 406665 GetProcAddress 54478->54479 54480 40665e 54478->54480 54482 406674 SetProcessDEPPolicy 54479->54482 54483 406678 54479->54483 54480->54479 54903 406340 19 API calls 54481->54903 54482->54483 54487 403400 4 API calls 54483->54487 54485 40646b 54486 403450 18 API calls 54485->54486 54489 406478 54486->54489 54488 40668d 54487->54488 54563 406814 6F9C1CD0 54488->54563 54489->54478 54490 4064ab 54489->54490 54491 40357c 18 API calls 54489->54491 54492 403494 4 API calls 54490->54492 54491->54490 54493 4064b9 54492->54493 54494 40357c 18 API calls 54493->54494 54495 4064c6 54494->54495 54904 40636c SetErrorMode LoadLibraryA 54495->54904 54497 4064ce 54498 403494 4 API calls 54497->54498 54499 4064dc 54498->54499 54500 40357c 18 API calls 54499->54500 54501 4064e9 54500->54501 54905 40636c SetErrorMode LoadLibraryA 54501->54905 54503 4064f1 54563->54417 54916 409474 54564->54916 54569 408b70 21 API calls 54570 409dbf 54569->54570 54901->54469 54902->54472 54903->54485 54904->54497 54905->54503 54917 40910c 19 API calls 54916->54917 54918 409485 54917->54918 54919 408a2c GetSystemDefaultLCID 54918->54919 54920 408a62 54919->54920 54921 403450 18 API calls 54920->54921 54922 40723c 19 API calls 54920->54922 54923 4089b8 19 API calls 54920->54923 54926 408ac4 54920->54926 54921->54920 54922->54920 54923->54920 54924 40723c 19 API calls 54924->54926 54925 4089b8 19 API calls 54925->54926 54926->54924 54926->54925 54927 403450 18 API calls 54926->54927 54928 408b47 54926->54928 54927->54926 54929 403420 4 API calls 54928->54929 54930 408b61 54929->54930 54930->54569 56450 46f2dc 56451 46f2e7 56450->56451 56454 46f134 56451->56454 56455 46f15d 56454->56455 56456 46f17a 56455->56456 56457 450108 2 API calls 56455->56457 56464 46ee8c 56456->56464 56457->56456 56461 46f1bf 56462 4965d4 32 API calls 56461->56462 56463 46f209 56461->56463 56462->56463 56465 46ee04 2 API calls 56464->56465 56466 46ee9a 56465->56466 56466->56463 56467 496578 18 API calls 56466->56467 56467->56461 56468 499793 56469 4997a7 56468->56469 56470 42f574 18 API calls 56469->56470 56471 4997d8 56470->56471 56472 42f574 18 API calls 56471->56472 56473 4997eb 56472->56473 56474 42f574 18 API calls 56473->56474 56475 4997fe 56474->56475 56476 42f574 18 API calls 56475->56476 56477 499811 56476->56477 56478 424714 19 API calls 56477->56478 56479 499821 56478->56479 56480 42d174 GetFileAttributesA 56479->56480 56481 49982b 56480->56481 56482 49984d 56481->56482 56659 497b6c 57 API calls 56481->56659 56484 499866 56482->56484 56485 499856 56482->56485 56497 498914 56484->56497 56661 4983a0 41 API calls 56485->56661 56486 499848 56660 409030 19 API calls 56486->56660 56489 499864 56663 457a90 GetWindowLongA DestroyWindow SendMessageA 56489->56663 56491 49985b 56491->56489 56662 498538 77 API calls 56491->56662 56494 499889 56495 403400 4 API calls 56494->56495 56496 4998a8 56495->56496 56498 49893a 56497->56498 56499 498958 56498->56499 56500 498951 56498->56500 56502 498993 56499->56502 56503 498987 56499->56503 56821 47fa5c 6 API calls 56500->56821 56505 4989bd 56502->56505 56507 4989bf 56502->56507 56508 4989b3 56502->56508 56822 457950 48 API calls 56503->56822 56506 45850c 38 API calls 56505->56506 56509 498a0a 56506->56509 56824 4584b0 44 API calls 56507->56824 56823 4582f8 50 API calls 56508->56823 56512 403494 4 API calls 56509->56512 56513 498a17 56512->56513 56514 40357c 18 API calls 56513->56514 56515 498a25 56514->56515 56516 45850c 38 API calls 56515->56516 56517 498a2d 56516->56517 56659->56486 56661->56491 56662->56489 56663->56494 56821->56499 56822->56502 56823->56505 56824->56505 56994 41f2a4 56995 41f2b3 IsWindowVisible 56994->56995 56996 41f2e9 56994->56996 56995->56996 56997 41f2bd IsWindowEnabled 56995->56997 56997->56996 56998 41f2c7 56997->56998 56999 402648 18 API calls 56998->56999 57000 41f2d1 EnableWindow 56999->57000 57000->56996 57001 41ffa8 57002 41ffb1 57001->57002 57005 42024c 57002->57005 57004 41ffbe 57006 42033e 57005->57006 57007 420263 57005->57007 57006->57004 57007->57006 57026 41fe0c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 57007->57026 57009 420299 57010 4202c3 57009->57010 57011 42029d 57009->57011 57036 41fe0c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 57010->57036 57027 41ffec 57011->57027 57015 4202d1 57017 4202d5 57015->57017 57018 4202fb 57015->57018 57016 41ffec 10 API calls 57025 4202c1 57016->57025 57019 41ffec 10 API calls 57017->57019 57020 41ffec 10 API calls 57018->57020 57021 4202e7 57019->57021 57022 42030d 57020->57022 57023 41ffec 10 API calls 57021->57023 57024 41ffec 10 API calls 57022->57024 57023->57025 57024->57025 57025->57004 57026->57009 57028 420007 57027->57028 57029 41fd8c 4 API calls 57028->57029 57030 42001d 57028->57030 57029->57030 57037 41fd8c 57030->57037 57032 420065 57033 420088 SetScrollInfo 57032->57033 57045 41feec 57033->57045 57036->57015 57038 418630 57037->57038 57039 41fda9 GetWindowLongA 57038->57039 57040 41fde6 57039->57040 57041 41fdc6 57039->57041 57057 41fd18 GetWindowLongA GetSystemMetrics GetSystemMetrics 57040->57057 57056 41fd18 GetWindowLongA GetSystemMetrics GetSystemMetrics 57041->57056 57044 41fdd2 57044->57032 57046 41fefa 57045->57046 57048 41ff02 57045->57048 57046->57016 57047 41ff3f 57051 41ff81 GetScrollPos 57047->57051 57048->57047 57049 41ff41 57048->57049 57050 41ff31 57048->57050 57059 418298 IsWindowVisible ScrollWindow SetWindowPos 57049->57059 57058 418298 IsWindowVisible ScrollWindow SetWindowPos 57050->57058 57051->57046 57054 41ff8c 57051->57054 57055 41ff9b SetScrollPos 57054->57055 57055->57046 57056->57044 57057->57044 57058->57047 57059->57047 57060 404d2a 57067 404d3a 57060->57067 57061 404e07 ExitProcess 57062 404de0 57076 404cf0 57062->57076 57063 404e12 57066 404cf0 4 API calls 57068 404df4 57066->57068 57067->57061 57067->57062 57067->57063 57069 404db7 MessageBoxA 57067->57069 57070 404dcc 57067->57070 57080 401a90 57068->57080 57069->57062 57092 40500c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57070->57092 57073 404df9 57073->57061 57073->57063 57078 404cfe 57076->57078 57077 404d13 57077->57066 57078->57077 57093 402728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57078->57093 57081 401aa1 57080->57081 57082 401b6f 57080->57082 57083 401ac2 LocalFree 57081->57083 57084 401ab8 RtlEnterCriticalSection 57081->57084 57082->57073 57085 401af5 57083->57085 57084->57083 57086 401ae3 VirtualFree 57085->57086 57087 401afd 57085->57087 57086->57085 57088 401b24 LocalFree 57087->57088 57089 401b3b 57087->57089 57088->57088 57088->57089 57090 401b53 RtlLeaveCriticalSection 57089->57090 57091 401b5d RtlDeleteCriticalSection 57089->57091 57090->57091 57091->57073 57093->57077 57094 4209e8 57095 4209fb 57094->57095 57115 415f80 57095->57115 57097 420a36 57098 420b42 57097->57098 57100 420aa1 57097->57100 57108 420a92 MulDiv 57097->57108 57099 420b59 57098->57099 57122 414b24 KiUserCallbackDispatcher 57098->57122 57102 420b70 57099->57102 57123 414b68 KiUserCallbackDispatcher 57099->57123 57120 420c98 34 API calls 57100->57120 57107 420b92 57102->57107 57124 4204b0 12 API calls 57102->57124 57105 420aba 57105->57098 57121 4204b0 12 API calls 57105->57121 57119 41a754 19 API calls 57108->57119 57111 420ad7 57112 420af3 MulDiv 57111->57112 57113 420b16 57111->57113 57112->57113 57113->57098 57114 420b1f MulDiv 57113->57114 57114->57098 57116 415f92 57115->57116 57125 4148c0 57116->57125 57118 415faa 57118->57097 57119->57100 57120->57105 57121->57111 57122->57099 57123->57102 57124->57107 57126 4148da 57125->57126 57129 4108a8 57126->57129 57128 4148f0 57128->57118 57132 40e0f4 57129->57132 57131 4108ae 57131->57128 57133 40e156 57132->57133 57134 40e107 57132->57134 57139 40e164 57133->57139 57137 40e164 33 API calls 57134->57137 57138 40e131 57137->57138 57138->57131 57140 40e174 57139->57140 57142 40e18a 57140->57142 57151 40e4ec 57140->57151 57167 40da30 57140->57167 57170 40e39c 57142->57170 57145 40e192 57146 40da30 19 API calls 57145->57146 57147 40e1fe 57145->57147 57173 40dfb0 57145->57173 57146->57145 57148 40e39c 19 API calls 57147->57148 57150 40e160 57148->57150 57150->57131 57152 40edbc 19 API calls 57151->57152 57155 40e527 57152->57155 57153 403778 18 API calls 57153->57155 57154 40e5dd 57156 40e607 57154->57156 57157 40e5f8 57154->57157 57155->57153 57155->57154 57240 40dbc4 19 API calls 57155->57240 57241 40e4d0 19 API calls 57155->57241 57237 40be74 57156->57237 57187 40e810 57157->57187 57162 40e605 57164 403400 4 API calls 57162->57164 57165 40e6ac 57164->57165 57165->57140 57168 40ee58 19 API calls 57167->57168 57169 40da3a 57168->57169 57169->57140 57274 40d90c 57170->57274 57174 40e3a4 19 API calls 57173->57174 57175 40dfe3 57174->57175 57176 40edbc 19 API calls 57175->57176 57177 40dfee 57176->57177 57178 40edbc 19 API calls 57177->57178 57179 40dff9 57178->57179 57180 40e014 57179->57180 57181 40e00b 57179->57181 57186 40e011 57179->57186 57283 40de28 57180->57283 57286 40df18 33 API calls 57181->57286 57184 403420 4 API calls 57185 40e0df 57184->57185 57185->57145 57186->57184 57188 40e846 57187->57188 57189 40e83c 57187->57189 57191 40e961 57188->57191 57192 40e8e5 57188->57192 57193 40e946 57188->57193 57194 40e9c6 57188->57194 57195 40e888 57188->57195 57196 40e929 57188->57196 57197 40e8b9 57188->57197 57198 40e90b 57188->57198 57230 40e8ac 57188->57230 57243 40d890 19 API calls 57189->57243 57199 40dbb4 19 API calls 57191->57199 57251 40e274 19 API calls 57192->57251 57256 40ece0 19 API calls 57193->57256 57205 40dbb4 19 API calls 57194->57205 57244 40dbb4 57195->57244 57254 40edf8 19 API calls 57196->57254 57197->57230 57250 40dc68 19 API calls 57197->57250 57253 40e234 19 API calls 57198->57253 57208 40e969 57199->57208 57201 403400 4 API calls 57209 40ea3b 57201->57209 57212 40e9ce 57205->57212 57216 40e973 57208->57216 57225 40e96d 57208->57225 57209->57162 57210 40e934 57255 40a188 18 API calls 57210->57255 57211 40e8f0 57252 40d8c0 19 API calls 57211->57252 57219 40e9d2 57212->57219 57220 40e9eb 57212->57220 57214 40e8b1 57249 40e328 19 API calls 57214->57249 57215 40e894 57247 40e274 19 API calls 57215->57247 57257 40ee58 57216->57257 57227 40ee58 19 API calls 57219->57227 57263 40e274 19 API calls 57220->57263 57224 40e971 57224->57230 57261 40e274 19 API calls 57224->57261 57225->57224 57229 40ee58 19 API calls 57225->57229 57227->57230 57228 40e89f 57248 40e6bc 19 API calls 57228->57248 57233 40e994 57229->57233 57230->57201 57260 40dcf0 19 API calls 57233->57260 57234 40e9b6 57262 40e724 18 API calls 57234->57262 57269 40be20 57237->57269 57240->57155 57241->57155 57242 40dbc4 19 API calls 57242->57162 57243->57188 57245 40ee58 19 API calls 57244->57245 57246 40dbbe 57245->57246 57246->57214 57246->57215 57247->57228 57248->57230 57249->57197 57250->57230 57251->57211 57252->57230 57253->57230 57254->57210 57255->57230 57256->57230 57264 40dbd0 57257->57264 57260->57224 57261->57234 57262->57230 57263->57230 57267 40dbdb 57264->57267 57265 40dc15 57265->57230 57267->57265 57268 40dc1c 19 API calls 57267->57268 57268->57267 57270 40be32 57269->57270 57271 40be57 57269->57271 57270->57271 57273 40bed4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57270->57273 57271->57162 57271->57242 57273->57271 57275 40ee58 19 API calls 57274->57275 57276 40d919 57275->57276 57277 40d92c 57276->57277 57281 40ef5c 19 API calls 57276->57281 57277->57145 57279 40d927 57282 40d8a8 19 API calls 57279->57282 57281->57279 57282->57277 57287 40afcc 33 API calls 57283->57287 57285 40de50 57285->57186 57286->57186 57287->57285 57288 47dbe8 57289 47dc12 57288->57289 57290 47dbf1 57288->57290 57292 42c84c 19 API calls 57289->57292 57291 42c84c 19 API calls 57290->57291 57293 47dbfe 57291->57293 57294 47dc1f 57292->57294 57295 4035c0 18 API calls 57293->57295 57296 4035c0 18 API calls 57294->57296 57297 47dc10 57295->57297 57296->57297 57298 47d8e4 22 API calls 57297->57298 57299 47dc36 57298->57299 57300 403400 4 API calls 57299->57300 57301 47dc4b 57300->57301 57302 48f6bc 57303 48f70d 57302->57303 57304 48f739 57303->57304 57305 48f70f 57303->57305 57309 48f748 57304->57309 57310 48f772 57304->57310 57306 447498 32 API calls 57305->57306 57307 48f71c 57306->57307 57308 4534e4 5 API calls 57307->57308 57311 48f729 57308->57311 57312 447498 32 API calls 57309->57312 57315 48f7ab 57310->57315 57316 48f781 57310->57316 57313 447570 19 API calls 57311->57313 57314 48f755 57312->57314 57731 48f734 57313->57731 57317 4530c4 25 API calls 57314->57317 57325 48f7ba 57315->57325 57326 48f81f 57315->57326 57318 447498 32 API calls 57316->57318 57319 48f762 57317->57319 57322 48f78e 57318->57322 57320 447570 19 API calls 57319->57320 57320->57731 57321 403420 4 API calls 57323 490d11 57321->57323 57324 453134 25 API calls 57322->57324 57328 403420 4 API calls 57323->57328 57329 48f79b 57324->57329 57327 447498 32 API calls 57325->57327 57335 48f82e 57326->57335 57336 48f8a4 57326->57336 57330 48f7c9 57327->57330 57331 490d1e 57328->57331 57332 447570 19 API calls 57329->57332 57333 447498 32 API calls 57330->57333 57334 403400 4 API calls 57331->57334 57332->57731 57338 48f7e0 57333->57338 57339 490d26 57334->57339 57337 44743c 32 API calls 57335->57337 57343 48f90f 57336->57343 57344 48f8b3 57336->57344 57340 48f83a 57337->57340 57341 447498 32 API calls 57338->57341 57342 44743c 32 API calls 57340->57342 57345 48f7f3 57341->57345 57346 48f847 57342->57346 57352 48f96b 57343->57352 57353 48f91e 57343->57353 57347 447498 32 API calls 57344->57347 57348 447498 32 API calls 57345->57348 57349 447498 32 API calls 57346->57349 57350 48f8c2 57347->57350 57351 48f804 57348->57351 57354 48f857 57349->57354 57355 447498 32 API calls 57350->57355 57973 42d1e4 20 API calls 57351->57973 57365 48f97a 57352->57365 57366 48f9b3 57352->57366 57357 447498 32 API calls 57353->57357 57358 447498 32 API calls 57354->57358 57359 48f8d5 57355->57359 57361 48f92d 57357->57361 57362 48f86a 57358->57362 57363 447498 32 API calls 57359->57363 57360 48f80e 57364 4477ec 19 API calls 57360->57364 57367 447498 32 API calls 57361->57367 57368 447498 32 API calls 57362->57368 57369 48f8e6 57363->57369 57364->57731 57370 447498 32 API calls 57365->57370 57382 48fa22 57366->57382 57383 48f9c2 57366->57383 57371 48f940 57367->57371 57372 48f87b 57368->57372 57976 4473f0 57369->57976 57374 48f989 57370->57374 57375 447498 32 API calls 57371->57375 57376 44743c 32 API calls 57372->57376 57378 447498 32 API calls 57374->57378 57379 48f951 57375->57379 57380 48f88b 57376->57380 57384 48f99a 57378->57384 57981 42d42c GetPrivateProfileStringA GetProfileStringA lstrcmp 57379->57981 57974 42d2e8 20 API calls 57380->57974 57397 48fa8d 57382->57397 57398 48fa31 57382->57398 57388 447498 32 API calls 57383->57388 57982 42d478 GetPrivateProfileStringA GetProfileStringA 57384->57982 57387 48f8ff 57392 447570 19 API calls 57387->57392 57393 48f9d1 57388->57393 57390 48f95b 57396 447570 19 API calls 57390->57396 57391 48f894 57975 447718 19 API calls 57391->57975 57392->57731 57394 447498 32 API calls 57393->57394 57400 48f9e4 57394->57400 57395 48f9a3 57401 447570 19 API calls 57395->57401 57396->57731 57407 48faf8 57397->57407 57408 48fa9c 57397->57408 57402 447498 32 API calls 57398->57402 57403 447498 32 API calls 57400->57403 57401->57731 57404 48fa40 57402->57404 57406 48f9f7 57403->57406 57405 447498 32 API calls 57404->57405 57409 48fa53 57405->57409 57410 447498 32 API calls 57406->57410 57418 48fb46 57407->57418 57419 48fb07 57407->57419 57411 447498 32 API calls 57408->57411 57412 447498 32 API calls 57409->57412 57413 48fa08 57410->57413 57414 48faab 57411->57414 57416 48fa64 57412->57416 57983 42d4e8 WritePrivateProfileStringA WriteProfileStringA 57413->57983 57415 447498 32 API calls 57414->57415 57420 48fabe 57415->57420 57421 44743c 32 API calls 57416->57421 57431 48fb80 57418->57431 57432 48fb55 57418->57432 57423 447498 32 API calls 57419->57423 57424 447498 32 API calls 57420->57424 57425 48fa74 57421->57425 57422 48fa12 57426 447570 19 API calls 57422->57426 57427 48fb16 57423->57427 57429 48facf 57424->57429 57984 42d558 35 API calls 57425->57984 57426->57731 57428 447498 32 API calls 57427->57428 57433 48fb27 57428->57433 57434 4473f0 32 API calls 57429->57434 57442 48fbb8 57431->57442 57443 48fb8f 57431->57443 57436 447498 32 API calls 57432->57436 57437 447498 32 API calls 57433->57437 57438 48fadf 57434->57438 57435 48fa7d 57439 447570 19 API calls 57435->57439 57440 48fb62 57436->57440 57441 48fb37 57437->57441 57985 42d5b8 35 API calls 57438->57985 57439->57731 57445 447498 32 API calls 57440->57445 57986 42d5d0 WritePrivateProfileStringA WriteProfileStringA 57441->57986 57454 48fbe0 57442->57454 57455 48fbc7 57442->57455 57447 447498 32 API calls 57443->57447 57449 48fb72 57445->57449 57450 48fb9c 57447->57450 57448 48fae8 57451 447570 19 API calls 57448->57451 57987 42d61c WritePrivateProfileStringA WriteProfileStringA 57449->57987 57453 42d658 19 API calls 57450->57453 57451->57731 57456 48fba7 57453->57456 57461 48fbef 57454->57461 57462 48fc04 57454->57462 57457 42d77c 19 API calls 57455->57457 57458 4477ec 19 API calls 57456->57458 57459 48fbcf 57457->57459 57458->57731 57460 4477ec 19 API calls 57459->57460 57460->57731 57463 42d840 19 API calls 57461->57463 57466 48fc13 57462->57466 57467 48fc36 57462->57467 57464 48fbf4 57463->57464 57988 447718 19 API calls 57464->57988 57468 44743c 32 API calls 57466->57468 57471 48fc6e 57467->57471 57472 48fc45 57467->57472 57469 48fc1d 57468->57469 57470 42d89c 20 API calls 57469->57470 57473 48fc25 57470->57473 57477 48fc7d 57471->57477 57478 48fca6 57471->57478 57474 447498 32 API calls 57472->57474 57475 4477ec 19 API calls 57473->57475 57476 48fc52 57474->57476 57475->57731 57479 42c84c 19 API calls 57476->57479 57480 447498 32 API calls 57477->57480 57485 48fcde 57478->57485 57486 48fcb5 57478->57486 57481 48fc5d 57479->57481 57482 48fc8a 57480->57482 57483 4477ec 19 API calls 57481->57483 57989 42cfb8 19 API calls 57482->57989 57483->57731 57491 48fced 57485->57491 57492 48fd16 57485->57492 57488 447498 32 API calls 57486->57488 57487 48fc95 57489 4477ec 19 API calls 57487->57489 57490 48fcc2 57488->57490 57489->57731 57493 42d010 20 API calls 57490->57493 57494 447498 32 API calls 57491->57494 57499 48fd4e 57492->57499 57500 48fd25 57492->57500 57495 48fccd 57493->57495 57497 48fcfa 57494->57497 57496 4477ec 19 API calls 57495->57496 57496->57731 57990 42d938 20 API calls 57497->57990 57506 48fd8b 57499->57506 57507 48fd5d 57499->57507 57501 447498 32 API calls 57500->57501 57503 48fd32 57501->57503 57502 48fd05 57504 4477ec 19 API calls 57502->57504 57991 42d990 19 API calls 57503->57991 57504->57731 57512 48fd9a 57506->57512 57513 48fdb3 57506->57513 57509 447498 32 API calls 57507->57509 57508 48fd3d 57510 4477ec 19 API calls 57508->57510 57511 48fd6a 57509->57511 57510->57731 57992 45329c 22 API calls 57511->57992 57515 42dce8 19 API calls 57512->57515 57520 48fddb 57513->57520 57521 48fdc2 57513->57521 57517 48fda2 57515->57517 57516 48fd7a 57519 4477ec 19 API calls 57517->57519 57519->57731 57524 48fdea 57520->57524 57525 48fe03 57520->57525 57522 42dd14 19 API calls 57521->57522 57523 48fdca 57522->57523 57527 42dd40 6 API calls 57524->57527 57530 48fe30 57525->57530 57531 48fe12 57525->57531 57731->57321 57973->57360 57974->57391 57975->57731 57977 4473f5 57976->57977 58017 435ee0 57977->58017 57980 42d37c 20 API calls 57980->57387 57981->57390 57982->57395 57983->57422 57984->57435 57985->57448 57986->57731 57987->57731 57988->57731 57989->57487 57990->57502 57991->57508 57992->57516 58018 435f20 58017->58018 58019 435efe 58017->58019 58020 43600a 58018->58020 58021 435fb0 58018->58021 58024 435f77 58018->58024 58019->58018 58036 40905c 18 API calls 58019->58036 58041 40905c 18 API calls 58020->58041 58027 435fff 58021->58027 58028 435fbe 58021->58028 58025 403400 4 API calls 58024->58025 58026 436035 58025->58026 58026->57980 58040 403f90 32 API calls 58027->58040 58037 40483c 32 API calls 58028->58037 58031 435fc8 58032 435fd3 58031->58032 58033 435fe7 58031->58033 58038 40483c 32 API calls 58032->58038 58039 40905c 18 API calls 58033->58039 58036->58018 58037->58031 58038->58024 58039->58024 58040->58024 58041->58024 58042 422734 58043 422743 58042->58043 58048 4216c4 58043->58048 58046 422763 58049 421733 58048->58049 58051 4216d3 58048->58051 58053 421744 58049->58053 58073 412920 GetMenuItemCount GetMenuStringA GetMenuState 58049->58073 58051->58049 58072 40917c 33 API calls 58051->58072 58052 421772 58057 4217e5 58052->58057 58064 42178d 58052->58064 58053->58052 58054 42180a 58053->58054 58056 4217e3 58054->58056 58058 42181e SetMenu 58054->58058 58055 421836 58076 42160c 24 API calls 58055->58076 58056->58055 58075 42227c 25 API calls 58056->58075 58057->58056 58062 4217f9 58057->58062 58058->58056 58061 42183d 58061->58046 58071 422638 10 API calls 58061->58071 58065 421802 SetMenu 58062->58065 58064->58056 58066 4217b0 GetMenu 58064->58066 58065->58056 58067 4217d3 58066->58067 58068 4217ba 58066->58068 58074 412920 GetMenuItemCount GetMenuStringA GetMenuState 58067->58074 58070 4217cd SetMenu 58068->58070 58070->58067 58071->58046 58072->58051 58073->58053 58074->58056 58075->58055 58076->58061 58077 42e83f SetErrorMode 58078 494cf4 58079 494d3c 58078->58079 58080 494d3e 58079->58080 58081 494d57 58079->58081 58328 424690 GetLastActivePopup IsWindowVisible IsWindowEnabled SetForegroundWindow 58080->58328 58085 494da6 58081->58085 58086 494d66 58081->58086 58083 494d48 58084 42462c 11 API calls 58083->58084 58224 494d52 58084->58224 58091 494df5 58085->58091 58092 494db5 58085->58092 58087 494d77 58086->58087 58329 48e164 33 API calls 58086->58329 58330 48e330 18 API calls 58087->58330 58090 403420 4 API calls 58094 49556c 58090->58094 58102 494e35 58091->58102 58103 494e04 58091->58103 58095 494dc6 58092->58095 58331 48e164 33 API calls 58092->58331 58093 494d7c 58096 414f38 18 API calls 58093->58096 58098 403400 4 API calls 58094->58098 58332 48e330 18 API calls 58095->58332 58097 494d8a 58096->58097 58101 42d010 20 API calls 58097->58101 58104 495574 58098->58104 58106 494d95 58101->58106 58116 494ea4 58102->58116 58117 494e44 58102->58117 58107 494e15 58103->58107 58333 48e164 33 API calls 58103->58333 58108 403400 4 API calls 58104->58108 58105 494dcb 58109 414f38 18 API calls 58105->58109 58110 4477ec 19 API calls 58106->58110 58334 48e330 18 API calls 58107->58334 58113 49557c 58108->58113 58114 494dd9 58109->58114 58110->58224 58119 403400 4 API calls 58113->58119 58115 42d010 20 API calls 58114->58115 58120 494de4 58115->58120 58127 494f30 58116->58127 58128 494eb3 58116->58128 58121 494e55 58117->58121 58335 48e164 33 API calls 58117->58335 58118 494e1a 58129 447570 19 API calls 58118->58129 58122 495584 58119->58122 58123 4477ec 19 API calls 58120->58123 58336 48e330 18 API calls 58121->58336 58123->58224 58126 494e5a 58130 46a4ec SendMessageA 58126->58130 58134 494f3f 58127->58134 58135 494fbe 58127->58135 58131 494ec4 58128->58131 58337 48e164 33 API calls 58128->58337 58129->58224 58132 494e5f 58130->58132 58138 4473f0 32 API calls 58131->58138 58136 494e65 58132->58136 58137 494e94 58132->58137 58139 494f50 58134->58139 58339 48e164 33 API calls 58134->58339 58146 494fcd 58135->58146 58147 494ff6 58135->58147 58141 4473f0 32 API calls 58136->58141 58140 4477ec 19 API calls 58137->58140 58142 494eed 58138->58142 58153 4473f0 32 API calls 58139->58153 58140->58224 58144 494e6f 58141->58144 58338 48e330 18 API calls 58142->58338 58148 494e73 58144->58148 58149 494e84 58144->58149 58154 494fde 58146->58154 58342 48e164 33 API calls 58146->58342 58161 495019 58147->58161 58162 495005 58147->58162 58150 4477ec 19 API calls 58148->58150 58151 4477ec 19 API calls 58149->58151 58150->58224 58151->58224 58152 494ef3 58155 46a7e0 57 API calls 58152->58155 58156 494f7b 58153->58156 58158 447570 19 API calls 58154->58158 58159 494efc 58155->58159 58340 48e330 18 API calls 58156->58340 58158->58224 58163 4318a4 18 API calls 58159->58163 58168 495028 58161->58168 58169 49504d 58161->58169 58165 447570 19 API calls 58162->58165 58166 494f07 58163->58166 58164 494f81 58341 46a928 57 API calls 58164->58341 58165->58224 58170 4477ec 19 API calls 58166->58170 58172 495039 58168->58172 58343 48e0d0 33 API calls 58168->58343 58178 495099 58169->58178 58179 49505c 58169->58179 58173 494f13 58170->58173 58171 494f8a 58174 4318a4 18 API calls 58171->58174 58176 447570 19 API calls 58172->58176 58177 494f95 58174->58177 58176->58224 58180 4477ec 19 API calls 58177->58180 58188 4950a8 58178->58188 58189 4950e5 58178->58189 58181 49506d 58179->58181 58344 48e164 33 API calls 58179->58344 58182 494fa1 58180->58182 58183 49508a 58181->58183 58184 495076 58181->58184 58345 453aac 18 API calls 58183->58345 58186 4477ec 19 API calls 58184->58186 58186->58224 58190 4950b9 58188->58190 58346 48e164 33 API calls 58188->58346 58195 495119 58189->58195 58196 4950f4 58189->58196 58192 4950c2 58190->58192 58193 4950d6 58190->58193 58197 4477ec 19 API calls 58192->58197 58347 453aac 18 API calls 58193->58347 58200 495128 58195->58200 58201 49514d 58195->58201 58198 447498 32 API calls 58196->58198 58197->58224 58199 495101 58198->58199 58348 447718 19 API calls 58199->58348 58202 44743c 32 API calls 58200->58202 58206 49515c 58201->58206 58207 495166 58201->58207 58203 495132 58202->58203 58205 40352c 18 API calls 58203->58205 58208 49513c 58205->58208 58349 409030 19 API calls 58206->58349 58211 495190 58207->58211 58212 495175 58207->58212 58210 4477ec 19 API calls 58208->58210 58210->58224 58216 49519f 58211->58216 58217 4951c4 58211->58217 58350 494758 18 API calls 58212->58350 58214 49517e 58215 4477ec 19 API calls 58214->58215 58215->58224 58218 447498 32 API calls 58216->58218 58220 4951fa 58217->58220 58221 4951d3 58217->58221 58219 4951ab 58218->58219 58351 40905c 18 API calls 58219->58351 58227 495209 58220->58227 58228 49521f 58220->58228 58352 494758 18 API calls 58221->58352 58224->58090 58225 4951dc 58353 42eafc 19 API calls 58225->58353 58230 447570 19 API calls 58227->58230 58232 4952ce 58228->58232 58233 495232 58228->58233 58229 4951e8 58354 4837b0 58 API calls 58229->58354 58230->58224 58239 4952dd 58232->58239 58240 495324 58232->58240 58234 49523b 58233->58234 58235 49527e 58233->58235 58236 447498 32 API calls 58234->58236 58237 447498 32 API calls 58235->58237 58238 49524e 58236->58238 58241 495291 58237->58241 58243 447498 32 API calls 58238->58243 58244 447498 32 API calls 58239->58244 58250 495379 58240->58250 58251 495333 58240->58251 58242 447498 32 API calls 58241->58242 58245 4952a2 58242->58245 58246 49525f 58243->58246 58247 4952ec 58244->58247 58248 47d578 57 API calls 58245->58248 58355 494820 38 API calls 58246->58355 58252 447498 32 API calls 58247->58252 58263 4953c6 58250->58263 58273 495388 58250->58273 58255 48e2a8 32 API calls 58251->58255 58256 4952ff 58252->58256 58260 495342 58255->58260 58257 44743c 32 API calls 58256->58257 58264 447498 32 API calls 58260->58264 58271 49541e 58263->58271 58272 4953d5 58263->58272 58267 49534f 58264->58267 58281 49547d 58271->58281 58282 49542d 58271->58282 58276 48e2a8 32 API calls 58272->58276 58279 447498 32 API calls 58273->58279 58278 4953e4 58276->58278 58284 4953ab 58279->58284 58290 4954d9 58281->58290 58296 49548c 58281->58296 58293 447498 32 API calls 58282->58293 58360 4949f8 40 API calls 58284->58360 58328->58083 58329->58087 58330->58093 58331->58095 58332->58105 58333->58107 58334->58118 58335->58121 58336->58126 58337->58131 58338->58152 58339->58139 58340->58164 58341->58171 58342->58154 58343->58172 58344->58181 58345->58224 58346->58190 58347->58224 58348->58224 58350->58214 58351->58224 58352->58225 58353->58229 58354->58224 58366 416a3c DestroyWindow

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 0048F6BC Relevance: 138.4, APIs: 22, Strings: 56, Instructions: 1878COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSNATIVEDIR$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT
                                                                                                                                                                                  • API String ID: 0-4234653879
                                                                                                                                                                                  • Opcode ID: 41ece08bbbf6a323990f1ecb777884a85c897b4230cd9a3a9200b5780cb9fc64
                                                                                                                                                                                  • Instruction ID: 5ab6688b1d8de169e7eae929f0fe5b5c72d30124bbb070add725f290c9b618ac
                                                                                                                                                                                  • Opcode Fuzzy Hash: 41ece08bbbf6a323990f1ecb777884a85c897b4230cd9a3a9200b5780cb9fc64
                                                                                                                                                                                  • Instruction Fuzzy Hash: BAD25370B041455BDB04EBB9C8819AEBBA5AF58704F50893FB406AB346DF3CED068799
                                                                                                                                                                                  Function 00471688 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 961COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Existing file is a newer version. Skipping., xrefs: 00471BE2
                                                                                                                                                                                  • Same time stamp. Skipping., xrefs: 00471D35
                                                                                                                                                                                  • Installing into GAC, xrefs: 004726FA
                                                                                                                                                                                  • Dest file exists., xrefs: 0047199B
                                                                                                                                                                                  • Version of existing file: %u.%u.%u.%u, xrefs: 00471B5C
                                                                                                                                                                                  • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00471C95
                                                                                                                                                                                  • .tmp, xrefs: 00471F97
                                                                                                                                                                                  • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00471E76
                                                                                                                                                                                  • Time stamp of our file: %s, xrefs: 0047197B
                                                                                                                                                                                  • I, xrefs: 00471688
                                                                                                                                                                                  • Non-default bitness: 64-bit, xrefs: 0047188F
                                                                                                                                                                                  • Skipping due to "onlyifdoesntexist" flag., xrefs: 004719AE
                                                                                                                                                                                  • Version of our file: (none), xrefs: 00471ADC
                                                                                                                                                                                  • Failed to strip read-only attribute., xrefs: 00471EB3
                                                                                                                                                                                  • Will register the file (a type library) later., xrefs: 00472502
                                                                                                                                                                                  • Stripped read-only attribute., xrefs: 00471EA7
                                                                                                                                                                                  • Installing the file., xrefs: 00471EE9
                                                                                                                                                                                  • Version of existing file: (none), xrefs: 00471CDA
                                                                                                                                                                                  • User opted not to overwrite the existing file. Skipping., xrefs: 00471E2D
                                                                                                                                                                                  • Skipping due to "onlyifdestfileexists" flag., xrefs: 00471EDA
                                                                                                                                                                                  • Existing file has a later time stamp. Skipping., xrefs: 00471DAF
                                                                                                                                                                                  • Non-default bitness: 32-bit, xrefs: 0047189B
                                                                                                                                                                                  • Version of our file: %u.%u.%u.%u, xrefs: 00471AD0
                                                                                                                                                                                  • , xrefs: 00471BAF, 00471D80, 00471DFE
                                                                                                                                                                                  • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00471CB0
                                                                                                                                                                                  • Will register the file (a DLL/OCX) later., xrefs: 0047250E
                                                                                                                                                                                  • InUn, xrefs: 0047213F
                                                                                                                                                                                  • Dest file is protected by Windows File Protection., xrefs: 004718CD
                                                                                                                                                                                  • Same version. Skipping., xrefs: 00471CC5
                                                                                                                                                                                  • Time stamp of existing file: %s, xrefs: 00471A0B
                                                                                                                                                                                  • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00471CA4
                                                                                                                                                                                  • Existing file is protected by Windows File Protection. Skipping., xrefs: 00471DCC
                                                                                                                                                                                  • Uninstaller requires administrator: %s, xrefs: 0047216F
                                                                                                                                                                                  • Time stamp of our file: (failed to read), xrefs: 00471987
                                                                                                                                                                                  • Couldn't read time stamp. Skipping., xrefs: 00471D15
                                                                                                                                                                                  • Incrementing shared file count (32-bit)., xrefs: 00472594
                                                                                                                                                                                  • Dest filename: %s, xrefs: 00471874
                                                                                                                                                                                  • -- File entry --, xrefs: 004716DB
                                                                                                                                                                                  • Incrementing shared file count (64-bit)., xrefs: 0047257B
                                                                                                                                                                                  • Time stamp of existing file: (failed to read), xrefs: 00471A17
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: $-- File entry --$.tmp$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$I
                                                                                                                                                                                  • API String ID: 0-4118084788
                                                                                                                                                                                  • Opcode ID: c45ef2569825c2cc80ee30367728a5172857cecb85d7291e990cb0d481d6bfed
                                                                                                                                                                                  • Instruction ID: 6bf2baeb3a70bced245c17dd6e1df6b1677c078c0e18323f60fd28fe4f0ee562
                                                                                                                                                                                  • Opcode Fuzzy Hash: c45ef2569825c2cc80ee30367728a5172857cecb85d7291e990cb0d481d6bfed
                                                                                                                                                                                  • Instruction Fuzzy Hash: 73927134A042889FDB11DFA9C585BDDBBF4AF05304F1480ABE848BB392D7789E45DB19
                                                                                                                                                                                  Function 0042E4EC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 2766 42e4ec-42e4fd 2767 42e508-42e52d AllocateAndInitializeSid 2766->2767 2768 42e4ff-42e503 2766->2768 2769 42e6d7-42e6df 2767->2769 2770 42e533-42e550 GetVersion 2767->2770 2768->2769 2771 42e552-42e567 GetModuleHandleA GetProcAddress 2770->2771 2772 42e569-42e56b 2770->2772 2771->2772 2773 42e592-42e5ac GetCurrentThread OpenThreadToken 2772->2773 2774 42e56d-42e57b CheckTokenMembership 2772->2774 2777 42e5e3-42e60b GetTokenInformation 2773->2777 2778 42e5ae-42e5b8 GetLastError 2773->2778 2775 42e581-42e58d 2774->2775 2776 42e6b9-42e6cf FreeSid 2774->2776 2775->2776 2781 42e626-42e64a call 402648 GetTokenInformation 2777->2781 2782 42e60d-42e615 GetLastError 2777->2782 2779 42e5c4-42e5d7 GetCurrentProcess OpenProcessToken 2778->2779 2780 42e5ba-42e5bf call 4031bc 2778->2780 2779->2777 2785 42e5d9-42e5de call 4031bc 2779->2785 2780->2769 2792 42e658-42e660 2781->2792 2793 42e64c-42e656 call 4031bc * 2 2781->2793 2782->2781 2786 42e617-42e621 call 4031bc * 2 2782->2786 2785->2769 2786->2769 2797 42e662-42e663 2792->2797 2798 42e693-42e6b1 call 402660 CloseHandle 2792->2798 2793->2769 2802 42e665-42e678 EqualSid 2797->2802 2805 42e67a-42e687 2802->2805 2806 42e68f-42e691 2802->2806 2805->2806 2807 42e689-42e68d 2805->2807 2806->2798 2806->2802 2807->2798
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E526
                                                                                                                                                                                  • GetVersion.KERNEL32(00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E543
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E55C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E562
                                                                                                                                                                                  • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E577
                                                                                                                                                                                  • FreeSid.ADVAPI32(00000000,0042E6D7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E6CA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                                                                                                  • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                                                                                  • API String ID: 2252812187-1888249752
                                                                                                                                                                                  • Opcode ID: bec140b171ea519891e8f75e6984b41f13cc792e2a5660a755a4f82e4b8777e7
                                                                                                                                                                                  • Instruction ID: 33373ee259e646c263c3edb0d375fd355344fbe6f0fea3053a31bb261822ccd7
                                                                                                                                                                                  • Opcode Fuzzy Hash: bec140b171ea519891e8f75e6984b41f13cc792e2a5660a755a4f82e4b8777e7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 33518371B44619AEDB10EAE69842B7F77ACDB19304FD4047BB500F72C2D57CD904876A
                                                                                                                                                                                  Function 00450994 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 76libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 2809 450994-4509b9 2810 450a8c-450ab0 call 403420 2809->2810 2811 4509bf-4509cc GetVersion 2809->2811 2811->2810 2812 4509d2-450a0c call 450964 call 42c84c call 40357c call 403738 LoadLibraryA 2811->2812 2812->2810 2823 450a0e-450a87 GetProcAddress * 6 2812->2823 2823->2810
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetVersion.KERNEL32(00000000,00450AB1,?,?,?,?,00000000,00000000), ref: 004509BF
                                                                                                                                                                                    • Part of subcall function 00450964: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0045097C
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,00450AB1,?,?,?,?,00000000,00000000), ref: 004509FB
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RmStartSession), ref: 00450A19
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RmRegisterResources), ref: 00450A2E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RmGetList), ref: 00450A43
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RmShutdown), ref: 00450A58
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RmRestart), ref: 00450A6D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RmEndSession), ref: 00450A82
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$DirectoryLibraryLoadSystemVersion
                                                                                                                                                                                  • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                                                                                                  • API String ID: 2754715182-3419246398
                                                                                                                                                                                  • Opcode ID: d8d5ff48d6aa38830af6a9e8a73036221bb65f2481768552fb853932befe92ab
                                                                                                                                                                                  • Instruction ID: 7e76809d132c55fa29070b713de61cc7a3e08993567f6b48a797f9432d6667d5
                                                                                                                                                                                  • Opcode Fuzzy Hash: d8d5ff48d6aa38830af6a9e8a73036221bb65f2481768552fb853932befe92ab
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58212AB4A00304AEE710FBA5EC86A6E77F8E764755F50053BB810A71A3D6789D49CB1C
                                                                                                                                                                                  Function 0042405C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 3025 42405c-424090 3026 424092-424093 3025->3026 3027 4240c4-4240db call 423fb8 3025->3027 3028 424095-4240b1 call 40b69c 3026->3028 3032 42413c-424141 3027->3032 3033 4240dd 3027->3033 3061 4240b3-4240bb 3028->3061 3062 4240c0-4240c2 3028->3062 3037 424143 3032->3037 3038 424177-42417c 3032->3038 3035 4240e3-4240e6 3033->3035 3036 4241a0-4241b0 3033->3036 3039 424115-424118 3035->3039 3040 4240e8 3035->3040 3043 4241b2-4241b7 3036->3043 3044 4241bb-4241c3 call 4245e4 3036->3044 3046 424401-424409 3037->3046 3047 424149-424151 3037->3047 3041 424182-424185 3038->3041 3042 4244ea-4244f8 IsIconic 3038->3042 3056 4241f9-424200 3039->3056 3057 42411e-42411f 3039->3057 3052 424246-424256 call 423fd4 3040->3052 3053 4240ee-4240f1 3040->3053 3054 424526-42453b call 424ca0 3041->3054 3055 42418b-42418c 3041->3055 3048 4245a2-4245aa 3042->3048 3049 4244fe-424509 GetFocus 3042->3049 3059 4241c8-4241d0 call 42462c 3043->3059 3060 4241b9-4241dc call 423fd4 3043->3060 3044->3048 3046->3048 3058 42440f-42441a call 418630 3046->3058 3050 424363-42438a SendMessageA 3047->3050 3051 424157-42415c 3047->3051 3075 4245c1-4245c7 3048->3075 3049->3048 3065 42450f-424518 call 41f444 3049->3065 3050->3048 3073 424162-424163 3051->3073 3074 42449a-4244a5 3051->3074 3052->3048 3066 4240f7-4240fa 3053->3066 3067 42426e-42428a PostMessageA call 423fd4 3053->3067 3054->3048 3077 424192-424195 3055->3077 3078 42453d-424544 3055->3078 3056->3048 3069 424206-42420d 3056->3069 3070 424125-424128 3057->3070 3071 42438f-424396 3057->3071 3058->3048 3110 424420-42442f call 418630 IsWindowEnabled 3058->3110 3059->3048 3060->3048 3061->3075 3062->3027 3062->3028 3065->3048 3123 42451e-424524 SetFocus 3065->3123 3084 424100-424103 3066->3084 3085 4242f5-4242fc 3066->3085 3067->3048 3069->3048 3089 424213-424219 3069->3089 3090 42412e-424131 3070->3090 3091 42428f-4242af call 423fd4 3070->3091 3071->3048 3100 42439c-4243a1 call 404e54 3071->3100 3093 4244c2-4244cd 3073->3093 3094 424169-42416c 3073->3094 3074->3048 3096 4244ab-4244bd 3074->3096 3097 424570-424577 3077->3097 3098 42419b 3077->3098 3087 424546-424559 call 424924 3078->3087 3088 42455b-42456e call 42497c 3078->3088 3103 424109-42410a 3084->3103 3104 42421e-42422c IsIconic 3084->3104 3105 4242fe-424311 call 423f64 3085->3105 3106 42432f-424340 call 423fd4 3085->3106 3087->3048 3088->3048 3089->3048 3108 424137 3090->3108 3109 42425b-424269 call 4245c8 3090->3109 3139 4242d3-4242f0 call 423ed4 PostMessageA 3091->3139 3140 4242b1-4242ce call 423f64 PostMessageA 3091->3140 3093->3048 3117 4244d3-4244e5 3093->3117 3114 424172 3094->3114 3115 4243a6-4243ae 3094->3115 3096->3048 3112 42458a-424599 3097->3112 3113 424579-424588 3097->3113 3116 42459b-42459c call 423fd4 3098->3116 3100->3048 3124 424110 3103->3124 3125 4241e1-4241e9 3103->3125 3131 42423a-424241 call 423fd4 3104->3131 3132 42422e-424235 call 424010 3104->3132 3154 424323-42432a call 423fd4 3105->3154 3155 424313-42431d call 41f3a8 3105->3155 3159 424342-424348 call 41f2f4 3106->3159 3160 424356-42435e call 423ed4 3106->3160 3108->3116 3109->3048 3110->3048 3156 424435-424444 call 418630 IsWindowVisible 3110->3156 3112->3048 3113->3048 3114->3116 3115->3048 3121 4243b4-4243bb 3115->3121 3147 4245a1 3116->3147 3117->3048 3121->3048 3138 4243c1-4243d0 call 418630 IsWindowEnabled 3121->3138 3123->3048 3124->3116 3125->3048 3141 4241ef-4241f4 call 42309c 3125->3141 3131->3048 3132->3048 3138->3048 3170 4243d6-4243ec call 412760 3138->3170 3139->3048 3140->3048 3141->3048 3147->3048 3154->3048 3155->3154 3156->3048 3177 42444a-424495 GetFocus call 418630 SetFocus call 415690 SetFocus 3156->3177 3174 42434d-424350 3159->3174 3160->3048 3170->3048 3180 4243f2-4243fc 3170->3180 3174->3160 3177->3048 3180->3048
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1c2d28a4b4d1923454e08cb3fe27b72dfc3876b272648f6aa9b42a85e47afd24
                                                                                                                                                                                  • Instruction ID: 43e49367b0b6739e18dd975752e7d81306140be7a57883210305ee73c05c6530
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c2d28a4b4d1923454e08cb3fe27b72dfc3876b272648f6aa9b42a85e47afd24
                                                                                                                                                                                  • Instruction Fuzzy Hash: 59E16E30704124EFD710DB6AE685A5DB7F4EF84314FA540A6F6859B392CB38EE81DB09
                                                                                                                                                                                  Function 00468034 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1649windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004971B4: GetWindowRect.USER32(00000000), ref: 004971CA
                                                                                                                                                                                  • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 004683DD
                                                                                                                                                                                    • Part of subcall function 0041DB00: GetObjectA.GDI32(?,00000018,004683F6), ref: 0041DB2B
                                                                                                                                                                                    • Part of subcall function 00467E10: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467EB3
                                                                                                                                                                                    • Part of subcall function 00467E10: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467ED9
                                                                                                                                                                                    • Part of subcall function 00467E10: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467F30
                                                                                                                                                                                    • Part of subcall function 004677CC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00468491,00000000,00000000,00000000,0000000C,00000000), ref: 004677E4
                                                                                                                                                                                    • Part of subcall function 00497438: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00497442
                                                                                                                                                                                    • Part of subcall function 0042F188: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F1E4
                                                                                                                                                                                    • Part of subcall function 0042F188: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F201
                                                                                                                                                                                    • Part of subcall function 00497104: GetDC.USER32(00000000), ref: 00497126
                                                                                                                                                                                    • Part of subcall function 00497104: SelectObject.GDI32(?,00000000), ref: 0049714C
                                                                                                                                                                                    • Part of subcall function 00497104: ReleaseDC.USER32(00000000,?), ref: 0049719D
                                                                                                                                                                                    • Part of subcall function 00497428: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00497432
                                                                                                                                                                                  • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 00469080
                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00469091
                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004690A9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadProcRectReleaseSelectSystemUserWindow
                                                                                                                                                                                  • String ID: $(Default)$STOPIMAGE
                                                                                                                                                                                  • API String ID: 616467991-770201673
                                                                                                                                                                                  • Opcode ID: 533b5b9c69d50d4e3bf7389d015b08925e7f9e5915c964b06be795d887c19e03
                                                                                                                                                                                  • Instruction ID: 80892e57212ece105f8354d293749779e47711168eff5a6823bea21c9da9ff55
                                                                                                                                                                                  • Opcode Fuzzy Hash: 533b5b9c69d50d4e3bf7389d015b08925e7f9e5915c964b06be795d887c19e03
                                                                                                                                                                                  • Instruction Fuzzy Hash: 90F2E7786005108FCB00EB69D8D9F9977F5BF89304F1542BAE5049B36ADB78EC46CB4A
                                                                                                                                                                                  Function 00476120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476179
                                                                                                                                                                                  • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476256
                                                                                                                                                                                  • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476264
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                  • String ID: unins$unins???.*
                                                                                                                                                                                  • API String ID: 3541575487-1009660736
                                                                                                                                                                                  • Opcode ID: 4d6b4c78c27d307665df1e659c75eb40dbe6a289c02ca47561d52f2f5fb83ddd
                                                                                                                                                                                  • Instruction ID: eb89464c752a784b36226a23c26c23c5edadcf818cb3280f2000aa581376a5b5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d6b4c78c27d307665df1e659c75eb40dbe6a289c02ca47561d52f2f5fb83ddd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11312E70600548ABDB50EB65CC81ADEBBADDB45314F5180F6A84CAB3A6DB389F418F58
                                                                                                                                                                                  Function 004531A4 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00453207,?,?,-00000001,00000000), ref: 004531E1
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,00453207,?,?,-00000001,00000000), ref: 004531E9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileFindFirstLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 873889042-0
                                                                                                                                                                                  • Opcode ID: 1201cac6feb998a2fb112764d438cb0eb727cdb5a4391e78fe092c8218b0a9ce
                                                                                                                                                                                  • Instruction ID: d0bf465202dae3429285692917932fac375c13b7b10a14b33624456fe0da4cd4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1201cac6feb998a2fb112764d438cb0eb727cdb5a4391e78fe092c8218b0a9ce
                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF02371A046047BCB10DF7AAC0145EF7ACDB4577675046BBFC14D3291DB784F088558
                                                                                                                                                                                  Function 0046EE04 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetVersion.KERNEL32(?,0046EE9A), ref: 0046EE0E
                                                                                                                                                                                  • CoCreateInstance.OLE32(0049BB9C,00000000,00000001,0049BBAC,?,?,0046EE9A), ref: 0046EE2A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateInstanceVersion
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1462612201-0
                                                                                                                                                                                  • Opcode ID: 7e3b900fcc793c87492424567843667f4fc9824702b62168173c7bf035024e7d
                                                                                                                                                                                  • Instruction ID: 784abeb2b863a263b0685f2ce256345c834679a9cfc70721c753cc97000ad865
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e3b900fcc793c87492424567843667f4fc9824702b62168173c7bf035024e7d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AF0E534241310EEFB11E72BDC4AB4A3BC4AB25714F14403BF144972A1E3EE94808B6F
                                                                                                                                                                                  Function 004089B8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                  • Opcode ID: 40f9e6ad7b9874a9b05efedc53f019727417c817c0661ecad43f37488e602a1d
                                                                                                                                                                                  • Instruction ID: 37d1d3aac47cb6b8cd62020f591dd9ac8cec50bf03644e7f1bddec785b1dbc63
                                                                                                                                                                                  • Opcode Fuzzy Hash: 40f9e6ad7b9874a9b05efedc53f019727417c817c0661ecad43f37488e602a1d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 63E0227170021452C315A91A8C82AFAB24C9B18314F00427FB948E73C3EDB89E8042ED
                                                                                                                                                                                  Function 00423FD4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004245A1,?,00000000,004245AC), ref: 00423FFE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                  • Opcode ID: 15ec92afe3337674697e5aaff926351660f6d808b83c1ecc1d592f8d8ff41db7
                                                                                                                                                                                  • Instruction ID: 626c949ff67c0b5daba62b8ffba664747ea83a29b03f4787c3cb7294a8149fcf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 15ec92afe3337674697e5aaff926351660f6d808b83c1ecc1d592f8d8ff41db7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CF0B379205608AF8B40DF99C588D4ABBE8AB4C260B058295B988CB321C234EE808F94
                                                                                                                                                                                  Function 00455D38 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: NameUser
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2645101109-0
                                                                                                                                                                                  • Opcode ID: aa3a47175e92b859a3c3631cc0a30abc799c89e82c4a450a6b7a51612d703bec
                                                                                                                                                                                  • Instruction ID: 82cf1e81aeab4cdf4c711474db213eebdc1b2e178f500b1422eacd8e28b83923
                                                                                                                                                                                  • Opcode Fuzzy Hash: aa3a47175e92b859a3c3631cc0a30abc799c89e82c4a450a6b7a51612d703bec
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0AD0C27230460063C700AAA99C826AA359C8B84305F00883F3CC5DA2C3EABDDA4C5696
                                                                                                                                                                                  Function 0042F9C0 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F9DC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                  • Opcode ID: 2621fde08b5d071fc730d3c03362a0ac5d2de45ee12ad7e5c10e42539110ff87
                                                                                                                                                                                  • Instruction ID: 416a4692ed3cb8c0a12f59f0b22837e163b9cfd3c66ebd18f18690eb3ad7abe4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2621fde08b5d071fc730d3c03362a0ac5d2de45ee12ad7e5c10e42539110ff87
                                                                                                                                                                                  • Instruction Fuzzy Hash: 07D0A7B220010C7FDB00DE98D840D6B33BC9B8C700B90C826F945C7241D234EDA0CBB8
                                                                                                                                                                                  Function 0046FE70 Relevance: 75.8, APIs: 1, Strings: 42, Instructions: 512registryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 1317 46fe70-46fea2 1318 46fea4-46feab 1317->1318 1319 46febf 1317->1319 1320 46feb6-46febd 1318->1320 1321 46fead-46feb4 1318->1321 1322 46fec6-46fefe call 403634 call 403738 call 42e310 1319->1322 1320->1322 1321->1319 1321->1320 1329 46ff00-46ff14 call 403738 call 42e310 1322->1329 1330 46ff19-46ff42 call 403738 call 42e234 1322->1330 1329->1330 1338 46ff44-46ff4d call 46fb40 1330->1338 1339 46ff52-46ff7b call 46fc5c 1330->1339 1338->1339 1343 46ff8d-46ff90 call 403400 1339->1343 1344 46ff7d-46ff8b call 403494 1339->1344 1348 46ff95-46ffe0 call 46fc5c call 42c84c call 46fca4 call 46fc5c 1343->1348 1344->1348 1357 46fff6-470017 call 455d38 call 46fc5c 1348->1357 1358 46ffe2-46fff5 call 46fccc 1348->1358 1365 47006d-470074 1357->1365 1366 470019-47006c call 46fc5c call 4318a4 call 46fc5c call 4318a4 call 46fc5c 1357->1366 1358->1357 1367 470076-4700ae call 4318a4 call 46fc5c call 4318a4 call 46fc5c 1365->1367 1368 4700b4-4700bb 1365->1368 1366->1365 1401 4700b3 1367->1401 1371 4700bd-4700fb call 46fc5c * 3 1368->1371 1372 4700fc-470121 call 40b69c call 46fc5c 1368->1372 1371->1372 1390 470123-47012e call 47d578 1372->1390 1391 470130-470139 call 403494 1372->1391 1402 47013e-470149 call 47a04c 1390->1402 1391->1402 1401->1368 1407 470152 1402->1407 1408 47014b-470150 1402->1408 1409 470157-470321 call 403778 call 46fc5c call 47d578 call 46fca4 call 403494 call 40357c * 2 call 46fc5c call 403494 call 40357c * 2 call 46fc5c call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 1407->1409 1408->1409 1472 470337-470345 call 46fccc 1409->1472 1473 470323-470335 call 46fc5c 1409->1473 1477 47034a 1472->1477 1478 47034b-470394 call 46fccc call 46fd00 call 46fc5c call 47d578 call 46fd64 1473->1478 1477->1478 1489 470396-4703d8 call 46fccc * 4 1478->1489 1490 4703de-4703eb 1478->1490 1518 4703dd 1489->1518 1491 4703f1-4703f8 1490->1491 1492 4704ba-4704c1 1490->1492 1494 470465-470474 1491->1494 1495 4703fa-470401 1491->1495 1497 4704c3-4704f9 call 4965d4 1492->1497 1498 47051b-470531 RegCloseKey 1492->1498 1499 470477-470484 1494->1499 1495->1494 1500 470403-470427 call 43106c 1495->1500 1497->1498 1503 470486-470493 1499->1503 1504 47049b-4704b4 call 4310a8 call 46fccc 1499->1504 1500->1499 1514 470429-47042a 1500->1514 1503->1504 1508 470495-470499 1503->1508 1519 4704b9 1504->1519 1508->1492 1508->1504 1517 47042c-470452 call 40b69c call 47a8a8 1514->1517 1524 470454-47045a call 43106c 1517->1524 1525 47045f-470461 1517->1525 1518->1490 1519->1492 1524->1525 1525->1517 1527 470463 1525->1527 1527->1499
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0046FC5C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,VtG,?,0049E1E4,?,0046FF73,?,00000000,00470532,?,_is1), ref: 0046FC7F
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00470539,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00470584,?,?,0049E1E4,00000000), ref: 0047052C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseValue
                                                                                                                                                                                  • String ID: " /SILENT$5.5.9 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$_is1
                                                                                                                                                                                  • API String ID: 3132538880-2925550972
                                                                                                                                                                                  • Opcode ID: bc37eb7b33f48fd6375a2aa0431a5c1acc9702acff4f8118334c88b6a14bec13
                                                                                                                                                                                  • Instruction ID: 8dffaa2781584bc6e947bd791be20880efee78ab32c439a28404737c84d0984c
                                                                                                                                                                                  • Opcode Fuzzy Hash: bc37eb7b33f48fd6375a2aa0431a5c1acc9702acff4f8118334c88b6a14bec13
                                                                                                                                                                                  • Instruction Fuzzy Hash: F8124F34A00108DBDB04EB55E991ADE77F5EF48304F60807BE804AB3A5EB79BD45CB59
                                                                                                                                                                                  Function 004063F4 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 0040640F
                                                                                                                                                                                  • GetVersion.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406416
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040642B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406453
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406655
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040666B
                                                                                                                                                                                  • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406676
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModulePolicyProcessVersion
                                                                                                                                                                                  • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                                                                                                                                  • API String ID: 3297890031-2388063882
                                                                                                                                                                                  • Opcode ID: 7c5204fbbc2168c2f62eadc490ed385a4cfd672bd01c7cc457884a48157f0828
                                                                                                                                                                                  • Instruction ID: 52ceb319b1b10a2745084cc2a18598c2ecefae742a63aceaaee3a2f28509b87b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c5204fbbc2168c2f62eadc490ed385a4cfd672bd01c7cc457884a48157f0828
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7061F130A00109EBCB01FBA6D982D8E77B9AB44709B214077B405772E6DB3DEF199B5D
                                                                                                                                                                                  Function 00484E68 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 2824 484e68-484e8d GetModuleHandleA GetProcAddress 2825 484e8f-484ea5 GetNativeSystemInfo GetProcAddress 2824->2825 2826 484ef4-484ef9 GetSystemInfo 2824->2826 2827 484efe-484f07 2825->2827 2828 484ea7-484eb2 GetCurrentProcess 2825->2828 2826->2827 2829 484f09-484f0d 2827->2829 2830 484f17-484f1e 2827->2830 2828->2827 2837 484eb4-484eb8 2828->2837 2831 484f0f-484f13 2829->2831 2832 484f20-484f27 2829->2832 2833 484f39-484f3e 2830->2833 2835 484f29-484f30 2831->2835 2836 484f15-484f32 2831->2836 2832->2833 2835->2833 2836->2833 2837->2827 2838 484eba-484ec1 call 452e60 2837->2838 2838->2827 2842 484ec3-484ed0 GetProcAddress 2838->2842 2842->2827 2843 484ed2-484ee9 GetModuleHandleA GetProcAddress 2842->2843 2843->2827 2844 484eeb-484ef2 2843->2844 2844->2827
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00484E79
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484E86
                                                                                                                                                                                  • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484E94
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00484E9C
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00484EA8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00484EC9
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00484EDC
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00484EE2
                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484EF9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                                                                                                  • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                                                                                                  • API String ID: 2230631259-2623177817
                                                                                                                                                                                  • Opcode ID: cd68709e737b022a93ba3f5ff6983bcc42b0d1d8f8071fae57a82298f7546d18
                                                                                                                                                                                  • Instruction ID: 19f93fc1e60286517b98713993879556ba5b021e510ed05db2a10d1898c9039d
                                                                                                                                                                                  • Opcode Fuzzy Hash: cd68709e737b022a93ba3f5ff6983bcc42b0d1d8f8071fae57a82298f7546d18
                                                                                                                                                                                  • Instruction Fuzzy Hash: E8110351109353A4E721B3796E46B7F25889B8031CF080C7F7B84666C6EA7CC845833F
                                                                                                                                                                                  Function 00469A0C Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 2845 469a0c-469a44 call 47d578 2848 469c26-469c40 call 403420 2845->2848 2849 469a4a-469a5a call 47a06c 2845->2849 2854 469a5f-469aa4 call 407d44 call 403738 call 42e26c 2849->2854 2860 469aa9-469aab 2854->2860 2861 469ab1-469ac6 2860->2861 2862 469c1c-469c20 2860->2862 2863 469adb-469ae2 2861->2863 2864 469ac8-469ad6 call 42e19c 2861->2864 2862->2848 2862->2854 2866 469ae4-469b06 call 42e19c call 42e1b4 2863->2866 2867 469b0f-469b16 2863->2867 2864->2863 2866->2867 2885 469b08 2866->2885 2869 469b6f-469b76 2867->2869 2870 469b18-469b3d call 42e19c * 2 2867->2870 2872 469bbc-469bc3 2869->2872 2873 469b78-469b8a call 42e19c 2869->2873 2892 469b3f-469b48 call 431998 2870->2892 2893 469b4d-469b5f call 42e19c 2870->2893 2875 469bc5-469bf9 call 42e19c * 3 2872->2875 2876 469bfe-469c14 RegCloseKey 2872->2876 2886 469b8c-469b95 call 431998 2873->2886 2887 469b9a-469bac call 42e19c 2873->2887 2875->2876 2885->2867 2886->2887 2887->2872 2900 469bae-469bb7 call 431998 2887->2900 2892->2893 2893->2869 2902 469b61-469b6a call 431998 2893->2902 2900->2872 2902->2869
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00469C26,?,?,00000001,00000000,00000000,00469C41,?,00000000,00000000,?), ref: 00469C0F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • %s\%s_is1, xrefs: 00469A89
                                                                                                                                                                                  • Inno Setup: User Info: Organization, xrefs: 00469BDE
                                                                                                                                                                                  • Inno Setup: Setup Type, xrefs: 00469B1E
                                                                                                                                                                                  • Inno Setup: Selected Components, xrefs: 00469B2E
                                                                                                                                                                                  • Inno Setup: Icon Group, xrefs: 00469AEA
                                                                                                                                                                                  • Inno Setup: Selected Tasks, xrefs: 00469B7B
                                                                                                                                                                                  • Inno Setup: User Info: Name, xrefs: 00469BCB
                                                                                                                                                                                  • Inno Setup: Deselected Components, xrefs: 00469B50
                                                                                                                                                                                  • Inno Setup: Deselected Tasks, xrefs: 00469B9D
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469A6B
                                                                                                                                                                                  • Inno Setup: App Path, xrefs: 00469ACE
                                                                                                                                                                                  • Inno Setup: No Icons, xrefs: 00469AF7
                                                                                                                                                                                  • Inno Setup: User Info: Serial, xrefs: 00469BF1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                  • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                  • API String ID: 47109696-1093091907
                                                                                                                                                                                  • Opcode ID: 4c47772e7264278c1f1c36682a28658a2c65fb6567e9afa7e67a01330b73d777
                                                                                                                                                                                  • Instruction ID: c7de7197f4a769c9e7c3cd52df4c64fbb683598124d789e1de9a85ab418445f9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c47772e7264278c1f1c36682a28658a2c65fb6567e9afa7e67a01330b73d777
                                                                                                                                                                                  • Instruction Fuzzy Hash: C4519430A006089BCB15DB66D941BEEB7F9EF49304F5084BAE84067395E7B8AF01CB5D
                                                                                                                                                                                  Function 0047D978 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 190COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042DCE8: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,0045451C,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D), ref: 0042DCFB
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                    • Part of subcall function 0042DD40: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004542C2,00000000,00454365,?,?,00000000,00000000,00000000,00000000,00000000,?,00454755,00000000), ref: 0042DD5A
                                                                                                                                                                                    • Part of subcall function 0042DD40: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DD60
                                                                                                                                                                                  • SHGetKnownFolderPath.SHELL32(0049BD44,00008000,00000000,?,00000000,0047DC4C), ref: 0047DB52
                                                                                                                                                                                  • CoTaskMemFree.OLE32(?,0047DB95), ref: 0047DB88
                                                                                                                                                                                    • Part of subcall function 0042D658: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DE8E,00000000,0042DF20,?,?,?,0049D62C,00000000,00000000), ref: 0042D683
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                                                                                                                  • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                                                                                  • API String ID: 3771764029-544719455
                                                                                                                                                                                  • Opcode ID: 6ec6ff986ef5dd5265772e09c3445ba75f4a3d0a7ec86f160005d9c17a7e769a
                                                                                                                                                                                  • Instruction ID: 0fe7c2c5921331aa3b985ab989dbf77b3a087c61dea5e3792aec770f31e1cce1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ec6ff986ef5dd5265772e09c3445ba75f4a3d0a7ec86f160005d9c17a7e769a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A061B234E24204AFDB11EFA6D84269E7B78EF84318F51C57BE404AB391D77CAA41CA1D
                                                                                                                                                                                  Function 0045D3BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 2988 45d3bc-45d3d4 2989 45d3e5-45d3ec 2988->2989 2990 45d3d6-45d3e3 GetVersion 2988->2990 2992 45d635-45d63e 2989->2992 2990->2989 2991 45d3f1-45d428 GetModuleHandleA GetProcAddress * 3 2990->2991 2993 45d436-45d43d 2991->2993 2994 45d42a-45d42e 2991->2994 2993->2992 2994->2993 2995 45d430-45d434 2994->2995 2995->2993 2996 45d442-45d480 call 45d2c4 2995->2996 3000 45d482-45d487 call 4031bc 2996->3000 3001 45d48c-45d4b1 call 406e2c 2996->3001 3000->2992 3006 45d4b7-45d4b8 3001->3006 3007 45d54e-45d568 3001->3007 3008 45d4ba-45d4de AllocateAndInitializeSid 3006->3008 3014 45d579-45d59a 3007->3014 3015 45d56a-45d574 call 4031bc * 2 3007->3015 3009 45d504-45d548 3008->3009 3010 45d4e0-45d4ec GetLastError 3008->3010 3009->3007 3009->3008 3012 45d4f5-45d4ff call 4031bc * 2 3010->3012 3013 45d4ee 3010->3013 3012->2992 3013->3012 3018 45d59e-45d5b7 LocalFree 3014->3018 3015->2992
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 0045D3D6
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045D3F6
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045D403
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045D410
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045D41E
                                                                                                                                                                                    • Part of subcall function 0045D2C4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045D363,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045D33D
                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D611,?,?,00000000), ref: 0045D4D7
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D611,?,?,00000000), ref: 0045D4E0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                                                                                                  • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                                                                                                  • API String ID: 59345061-4263478283
                                                                                                                                                                                  • Opcode ID: 0336fb35fd749793045182d1361f828010284629c3cee937cf748adbc12729e9
                                                                                                                                                                                  • Instruction ID: 1fdbc06bdf38f6500452038ca5d2f44928d617c4984e35671f0aa61f53d98d16
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0336fb35fd749793045182d1361f828010284629c3cee937cf748adbc12729e9
                                                                                                                                                                                  • Instruction Fuzzy Hash: D35183B1D00208EFDB20DF99C841BAEB7B8EF49315F14806AF904B7382D6789945CF69
                                                                                                                                                                                  Function 0047E184 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 3295 47e184-47e1d6 call 42dd14 call 42c84c call 4035c0 call 452d1c 3304 47e1f3-47e1fa 3295->3304 3305 47e1d8-47e1df 3295->3305 3308 47e205-47e207 3304->3308 3309 47e1fc-47e203 3304->3309 3306 47e1e1-47e1e8 3305->3306 3307 47e209 3305->3307 3306->3304 3310 47e1ea-47e1f1 3306->3310 3311 47e20b-47e20d 3307->3311 3308->3311 3309->3307 3309->3308 3310->3304 3310->3307 3312 47e20f-47e234 call 42c84c call 4035c0 call 47de48 3311->3312 3313 47e239-47e26e call 42dd14 call 42c84c call 40357c call 42e7e4 * 2 3311->3313 3312->3313 3328 47e273-47e27f 3313->3328 3329 47e2a6-47e2c0 GetProcAddress 3328->3329 3330 47e281-47e2a1 call 407d44 call 453aac 3328->3330 3332 47e2c2-47e2c7 call 453aac 3329->3332 3333 47e2cc-47e2ee call 403420 call 403400 3329->3333 3330->3329 3332->3333
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0047E2B1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressDirectoryProcSystem
                                                                                                                                                                                  • String ID: 2$Failed to get address of SHGetFolderPath function$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                                                                                                  • API String ID: 996212319-3422985891
                                                                                                                                                                                  • Opcode ID: 2ee55fa07f5402e21f3b06f2d1869faf56609dd587cb054fbf2c8bfa1446e0f1
                                                                                                                                                                                  • Instruction ID: 9758cc0716918fe71002c31ee1435c1447d2ac946059de1b269defc554b01a12
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ee55fa07f5402e21f3b06f2d1869faf56609dd587cb054fbf2c8bfa1446e0f1
                                                                                                                                                                                  • Instruction Fuzzy Hash: C9415830A00119DFDB10DFA6C9415DE77B8FB48309F50C9BBE414A7252D7389E05CB59
                                                                                                                                                                                  Function 00423CC4 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 3341 423cc4-423cce 3342 423df7-423dfb 3341->3342 3343 423cd4-423cf6 call 41f814 GetClassInfoA 3341->3343 3346 423d27-423d30 GetSystemMetrics 3343->3346 3347 423cf8-423d0f RegisterClassA 3343->3347 3349 423d32 3346->3349 3350 423d35-423d3f GetSystemMetrics 3346->3350 3347->3346 3348 423d11-423d22 call 40910c call 40311c 3347->3348 3348->3346 3349->3350 3352 423d41 3350->3352 3353 423d44-423da0 call 403738 call 4062f8 call 403400 call 423a9c SetWindowLongA 3350->3353 3352->3353 3364 423da2-423db5 call 4245c8 SendMessageA 3353->3364 3365 423dba-423de8 GetSystemMenu DeleteMenu * 2 3353->3365 3364->3365 3365->3342 3367 423dea-423df2 DeleteMenu 3365->3367 3367->3342
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0041F814: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F1F4,?,00423CDF,0042405C,0041F1F4), ref: 0041F832
                                                                                                                                                                                  • GetClassInfoA.USER32(00400000,00423ACC), ref: 00423CEF
                                                                                                                                                                                  • RegisterClassA.USER32(0049B630), ref: 00423D07
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000000), ref: 00423D29
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000001), ref: 00423D38
                                                                                                                                                                                  • SetWindowLongA.USER32(004108B0,000000FC,00423ADC), ref: 00423D94
                                                                                                                                                                                  • SendMessageA.USER32(004108B0,00000080,00000001,00000000), ref: 00423DB5
                                                                                                                                                                                  • GetSystemMenu.USER32(004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C,0041F1F4), ref: 00423DC0
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C,0041F1F4), ref: 00423DCF
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423DDC
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004108B0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423DF2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 183575631-0
                                                                                                                                                                                  • Opcode ID: 3116a5487ebf53a9d66fce753d5cf134baefce0d2e8bfc1e8daa4fcba584e635
                                                                                                                                                                                  • Instruction ID: 7df3f4c256e16cf88ed5bb8a347b5b3a25df550de305930316ee8fcfc6e0617b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3116a5487ebf53a9d66fce753d5cf134baefce0d2e8bfc1e8daa4fcba584e635
                                                                                                                                                                                  • Instruction Fuzzy Hash: 203164B17502106AEB10AF65DC86F6A3698D714709F60017AFA40EF2D7C6BDED40476D
                                                                                                                                                                                  Function 00482C40 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 3369 482c40-482c6f call 45850c 3372 482d3c-482d4b 3369->3372 3373 482c75-482c77 3369->3373 3379 482d4d-482d4e 3372->3379 3380 482d7e-482d98 3372->3380 3374 482c79-482cb9 call 496758 3373->3374 3375 482cdb-482d37 call 4965d4 call 42e7d4 3373->3375 3374->3375 3375->3372 3383 482d50-482d7c call 45304c 3379->3383 3390 482dca-482de0 call 46e178 3380->3390 3391 482d9a-482dc8 call 453554 3380->3391 3383->3380 3400 482dee-482df5 3390->3400 3401 482de2-482de7 3390->3401 3391->3390 3403 482e02-482e09 3400->3403 3404 482df7-482dfd FreeLibrary 3400->3404 3401->3400 3405 482e0b-482e11 FreeLibrary 3403->3405 3406 482e16-482e1b call 47e3d0 call 47e0a8 3403->3406 3404->3403 3405->3406 3410 482e20-482e27 3406->3410 3411 482e29-482e30 3410->3411 3412 482e43-482e5c call 457a90 call 42efa4 3410->3412 3411->3412 3413 482e32-482e3c call 45850c 3411->3413 3420 482e5e-482e6f call 45850c 3412->3420 3421 482e8f-482ea4 call 403400 3412->3421 3413->3412 3426 482e8a call 4803c8 3420->3426 3427 482e71-482e88 SendNotifyMessageA 3420->3427 3426->3421 3427->3421
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00482DFD
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00482E11
                                                                                                                                                                                  • SendNotifyMessageA.USER32(000104A6,00000496,00002710,00000000), ref: 00482E83
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Deinitializing Setup., xrefs: 00482C5E
                                                                                                                                                                                  • Not restarting Windows because Setup is being run from the debugger., xrefs: 00482E32
                                                                                                                                                                                  • Restarting Windows., xrefs: 00482E5E
                                                                                                                                                                                  • GetCustomSetupExitCode, xrefs: 00482C9D
                                                                                                                                                                                  • DeinitializeSetup, xrefs: 00482CF9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary$MessageNotifySend
                                                                                                                                                                                  • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                                                                                                  • API String ID: 3817813901-1884538726
                                                                                                                                                                                  • Opcode ID: e5211ca08898a9106291910dfe2dba0549e66411077619477168a2445555e2a8
                                                                                                                                                                                  • Instruction ID: 87ca8a1097935e6c4637b022688acffdd958b69fb8a4991d3dc3ea9519d40e2c
                                                                                                                                                                                  • Opcode Fuzzy Hash: e5211ca08898a9106291910dfe2dba0549e66411077619477168a2445555e2a8
                                                                                                                                                                                  • Instruction Fuzzy Hash: F851AA30600200EFD711EF6AD949B6E7BE4EB19718F51897BE800D72A1DBB89C45CB5D
                                                                                                                                                                                  Function 0042FA00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0042FA2F
                                                                                                                                                                                  • GetFocus.USER32 ref: 0042FA37
                                                                                                                                                                                  • RegisterClassA.USER32(0049B7AC), ref: 0042FA58
                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042FB2C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042FA96
                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042FADC
                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042FAED
                                                                                                                                                                                  • SetFocus.USER32(00000000,00000000,0042FB0F,?,?,?,00000001,00000000,?,00458B4E,00000000,0049D62C), ref: 0042FAF4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                                                                                                  • String ID: TWindowDisabler-Window
                                                                                                                                                                                  • API String ID: 3167913817-1824977358
                                                                                                                                                                                  • Opcode ID: fec87ca07d7290a4a57da710bc1ddf3081f88a8d4dfe440d170acd63eb0d43c3
                                                                                                                                                                                  • Instruction ID: be32ada46e774ba6914a87ad40c025b2c9e25f6d11d521099bf08b28c91ad89a
                                                                                                                                                                                  • Opcode Fuzzy Hash: fec87ca07d7290a4a57da710bc1ddf3081f88a8d4dfe440d170acd63eb0d43c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: E121B570B40720BAE210EB65EC03F1A76B4EB04B04FA1813BF504BB2D1D7B96C1487AD
                                                                                                                                                                                  Function 00453934 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453956
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045395C
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453970
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453976
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                                                                                  • API String ID: 1646373207-2130885113
                                                                                                                                                                                  • Opcode ID: 82da2a28b5003144a588bfd6711196aeba7955ca25a5e24eec6645e80d453e72
                                                                                                                                                                                  • Instruction ID: a193a4472c2853cf72940ff7690ab9972ac4b2f80f688c1a00737a0c34b4483d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 82da2a28b5003144a588bfd6711196aeba7955ca25a5e24eec6645e80d453e72
                                                                                                                                                                                  • Instruction Fuzzy Hash: B211E3B0A00244BBDB00EF66DC03F5E7BA8D70475AF60447BF84166282D6BC9F088A2D
                                                                                                                                                                                  Function 00467E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467EB3
                                                                                                                                                                                  • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467ED9
                                                                                                                                                                                    • Part of subcall function 00467D4C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467DE7
                                                                                                                                                                                    • Part of subcall function 00467D4C: DestroyCursor.USER32(00000000), ref: 00467DFD
                                                                                                                                                                                  • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467F30
                                                                                                                                                                                  • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467F91
                                                                                                                                                                                  • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467FB7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                                                                                                  • String ID: c:\directory$shell32.dll
                                                                                                                                                                                  • API String ID: 3376378930-1375355148
                                                                                                                                                                                  • Opcode ID: 5f39b0330533c07a7ed62396f03ad1b0497855389b17cb99d84a9eecbd47350c
                                                                                                                                                                                  • Instruction ID: adf232676f9dc8545d434ff73a7213ff4163269ef5d9f53791e9b27a0c2465ea
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f39b0330533c07a7ed62396f03ad1b0497855389b17cb99d84a9eecbd47350c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64516D70644208AFD750EF65CC85FDEBBA8EB48308F1085A7F5089B391DA399E85CB59
                                                                                                                                                                                  Function 00430DE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430DE8
                                                                                                                                                                                  • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430DF7
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00430E11
                                                                                                                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 00430E32
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                                                                                                  • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                                                                                                  • API String ID: 4130936913-2943970505
                                                                                                                                                                                  • Opcode ID: 50811bd1b0b0bc88e10382fd261453b7235327efbd1eb80bce93881789032006
                                                                                                                                                                                  • Instruction ID: dd09876b0f9c3184917b018614b917cdad608ae665b29eb2c15b2e3af62d5cdc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 50811bd1b0b0bc88e10382fd261453b7235327efbd1eb80bce93881789032006
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98F082B09483409ED300EF26890371A7AE0AB58708F404F3FB48CA2291D7399910CB1F
                                                                                                                                                                                  Function 00455778 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455994,00455994,?,00455994,00000000), ref: 00455922
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455994,00455994,?,00455994), ref: 0045592F
                                                                                                                                                                                    • Part of subcall function 004556E4: WaitForInputIdle.USER32(?,00000032), ref: 00455710
                                                                                                                                                                                    • Part of subcall function 004556E4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455732
                                                                                                                                                                                    • Part of subcall function 004556E4: GetExitCodeProcess.KERNEL32(?,?), ref: 00455741
                                                                                                                                                                                    • Part of subcall function 004556E4: CloseHandle.KERNEL32(?,0045576E,00455767,?,?,?,00000000,?,?,00455943,?,?,?,00000044,00000000,00000000), ref: 00455761
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                                                                                                  • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                                                                                                  • API String ID: 854858120-615399546
                                                                                                                                                                                  • Opcode ID: 3aef928493a85a336b4fdc45b2ef872796c76b537a4fe3cf952342f788ba9a48
                                                                                                                                                                                  • Instruction ID: 19165e213e9236b89a5b086241af4e71530f18fc7e42ed674525c8849c01d6f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3aef928493a85a336b4fdc45b2ef872796c76b537a4fe3cf952342f788ba9a48
                                                                                                                                                                                  • Instruction Fuzzy Hash: F4514A7060074DABDB11EF96C892BEEBBB9AF44315F50403BF804BB282D77C99198759
                                                                                                                                                                                  Function 00423ADC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadIconA.USER32(00400000,MAINICON), ref: 00423B6C
                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423B99
                                                                                                                                                                                  • OemToCharA.USER32(?,?), ref: 00423BAC
                                                                                                                                                                                  • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423BEC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Char$FileIconLoadLowerModuleName
                                                                                                                                                                                  • String ID: 2$MAINICON
                                                                                                                                                                                  • API String ID: 3935243913-3181700818
                                                                                                                                                                                  • Opcode ID: 2e0daf861a267c93a269a4f119f07de5e1938d0dfec9cee71ee680dfb3eef85b
                                                                                                                                                                                  • Instruction ID: e5d3831d9b5483d4bbbd2f836839ca6b10e9aa02fde8f17f2ef2fb4492c3d901
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e0daf861a267c93a269a4f119f07de5e1938d0dfec9cee71ee680dfb3eef85b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6031A271A042549ADB10EF29C8C57C67BE8AF14308F4045BAE844DB383D7BED988CB59
                                                                                                                                                                                  Function 00419388 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(00000000), ref: 0041938D
                                                                                                                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 004193AE
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 004193C9
                                                                                                                                                                                  • GlobalAddAtomA.KERNEL32(00000000), ref: 004193EA
                                                                                                                                                                                    • Part of subcall function 00423518: GetDC.USER32(00000000), ref: 0042356E
                                                                                                                                                                                    • Part of subcall function 00423518: EnumFontsA.GDI32(00000000,00000000,004234B8,004108B0,00000000,?,?,00000000,?,00419423,00000000,?,?,?,00000001), ref: 00423581
                                                                                                                                                                                    • Part of subcall function 00423518: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423589
                                                                                                                                                                                    • Part of subcall function 00423518: ReleaseDC.USER32(00000000,00000000), ref: 00423594
                                                                                                                                                                                    • Part of subcall function 00423ADC: LoadIconA.USER32(00400000,MAINICON), ref: 00423B6C
                                                                                                                                                                                    • Part of subcall function 00423ADC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423B99
                                                                                                                                                                                    • Part of subcall function 00423ADC: OemToCharA.USER32(?,?), ref: 00423BAC
                                                                                                                                                                                    • Part of subcall function 00423ADC: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423BEC
                                                                                                                                                                                    • Part of subcall function 0041F568: GetVersion.KERNEL32(?,00419440,00000000,?,?,?,00000001), ref: 0041F576
                                                                                                                                                                                    • Part of subcall function 0041F568: SetErrorMode.KERNEL32(00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F592
                                                                                                                                                                                    • Part of subcall function 0041F568: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F59E
                                                                                                                                                                                    • Part of subcall function 0041F568: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F5AC
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F5DC
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F605
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F61A
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F62F
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F644
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F659
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F66E
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F683
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F698
                                                                                                                                                                                    • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6AD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                                                                                                                  • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                                                                                                  • API String ID: 316262546-2767913252
                                                                                                                                                                                  • Opcode ID: e4565b8fba9480968b1ec32b488455297d6f31b702462cc9ec0cccc8cb2a2db4
                                                                                                                                                                                  • Instruction ID: 7870b9ea93aa7f75565cd31cdf92f475c288cd9ab0443d66b722f1effdfa130a
                                                                                                                                                                                  • Opcode Fuzzy Hash: e4565b8fba9480968b1ec32b488455297d6f31b702462cc9ec0cccc8cb2a2db4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D112C70A182419AC300FF36D44279A7AE09BA430CF50893FF488AB3A1DB3D9D458B5E
                                                                                                                                                                                  Function 00413A8C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000FC,?), ref: 00413AB4
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00413ABF
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F4), ref: 00413AD1
                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000F4,?), ref: 00413AE4
                                                                                                                                                                                  • SetPropA.USER32(?,00000000,00000000), ref: 00413AFB
                                                                                                                                                                                  • SetPropA.USER32(?,00000000,00000000), ref: 00413B12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LongWindow$Prop
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3887896539-0
                                                                                                                                                                                  • Opcode ID: a72ee32d6cac1f66b8d23ea34dc7313db56b2b1373a44c7e0100784739caab29
                                                                                                                                                                                  • Instruction ID: a594f7604add2a8bfce9427623ad02c9736cb33a5a72341fbb506abd62de3718
                                                                                                                                                                                  • Opcode Fuzzy Hash: a72ee32d6cac1f66b8d23ea34dc7313db56b2b1373a44c7e0100784739caab29
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0811CC75500244BFDF00DF99ED88E9A3BE8EB09364F104276B914DB2E1D739D990CB94
                                                                                                                                                                                  Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0049D420,00000000,00401B68), ref: 00401ABD
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00401B68), ref: 00401ACF
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401AEE
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401B2D
                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0049D420,00401B6F), ref: 00401B58
                                                                                                                                                                                  • RtlDeleteCriticalSection.KERNEL32(0049D420,00401B6F), ref: 00401B62
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3782394904-0
                                                                                                                                                                                  • Opcode ID: a09964db7d5e1398f2afb7250b5a8c8ddfedb2b5ecba3fe18733cc428a63f314
                                                                                                                                                                                  • Instruction ID: 86217af8f0c65890f5da76d4fe10d609cc5e2f7049d93a5e71f2b830536aceac
                                                                                                                                                                                  • Opcode Fuzzy Hash: a09964db7d5e1398f2afb7250b5a8c8ddfedb2b5ecba3fe18733cc428a63f314
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A11BF70E003405AEB15AB659D82B267BE4976570CF44007BF50067AF1D77CB840C76E
                                                                                                                                                                                  Function 004730AC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,00000000,00000000,0047327D,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639), ref: 00473259
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,00473284,0047327D,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639,?), ref: 00473277
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,00000000,00000000,0047339F,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639), ref: 0047337B
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,004733A6,0047339F,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639,?), ref: 00473399
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$CloseFileNext
                                                                                                                                                                                  • String ID: I
                                                                                                                                                                                  • API String ID: 2066263336-1966777607
                                                                                                                                                                                  • Opcode ID: 8b65bf247db3295ca275b67f998f10653201df018fbb24eda57c1ca99500e988
                                                                                                                                                                                  • Instruction ID: 1af051264105f0c3ac5173717805306f181c97d1b343904b0a5707565e1f6f82
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b65bf247db3295ca275b67f998f10653201df018fbb24eda57c1ca99500e988
                                                                                                                                                                                  • Instruction Fuzzy Hash: F2C13C7490425DAFCF11DFA5C881ADEBBB9FF49304F5081AAE808A3351D7399A46CF54
                                                                                                                                                                                  Function 00455E74 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045600B,?,00000000,0045604B), ref: 00455F51
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 00455EF0
                                                                                                                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455ED4
                                                                                                                                                                                  • PendingFileRenameOperations2, xrefs: 00455F20
                                                                                                                                                                                  • WININIT.INI, xrefs: 00455F80
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                  • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                                                                                                  • API String ID: 47109696-2199428270
                                                                                                                                                                                  • Opcode ID: d50b001d9c5861cf59dff7f380f4b5b732c1d3e96307ee4737eba963c52de0e7
                                                                                                                                                                                  • Instruction ID: cd3286cbb97796e9ecd700c4ab963dac99c65abdd87cbf21601b40f17af9d083
                                                                                                                                                                                  • Opcode Fuzzy Hash: d50b001d9c5861cf59dff7f380f4b5b732c1d3e96307ee4737eba963c52de0e7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1551B930E001089FDB11EF61DC51ADEB7B9EF44705F5085BBE804A72D2DB39AE45CA58
                                                                                                                                                                                  Function 0047DEA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047DFF6,?,?,00000000,0049D62C,00000000,00000000,?,00499E21,00000000,00499FCA,?,00000000), ref: 0047DF33
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,0047DFF6,?,?,00000000,0049D62C,00000000,00000000,?,00499E21,00000000,00499FCA,?,00000000), ref: 0047DF3C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                  • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                                                                                                                  • API String ID: 1375471231-2952887711
                                                                                                                                                                                  • Opcode ID: 11c41cff4b2e26d29b59e317b5d01f68a09a239768e9d902b03435ecaad13ccb
                                                                                                                                                                                  • Instruction ID: ecaa8d991a706e785fb0a456308ec2ceb04ba6e672c042181299f5b248b5f278
                                                                                                                                                                                  • Opcode Fuzzy Hash: 11c41cff4b2e26d29b59e317b5d01f68a09a239768e9d902b03435ecaad13ccb
                                                                                                                                                                                  • Instruction Fuzzy Hash: A2414634A101099BCB01EF95DC81ADEB7B9EF44309F50847BE901B7392DB38AE05CB69
                                                                                                                                                                                  Function 0042E294 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042E2A0
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042E43B,00000000,0042E453,?,?,?,?,00000006,?,00000000,00499145), ref: 0042E2BB
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E2C1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressDeleteHandleModuleProc
                                                                                                                                                                                  • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                                                                                                  • API String ID: 588496660-1846899949
                                                                                                                                                                                  • Opcode ID: ec6d5e68239a8fd64e2f61c23397c604527ea817bc29ae7d62183104243c5598
                                                                                                                                                                                  • Instruction ID: a3ecee3a08e4bdafa542c89306e26d0a5ab5c090d3d5ae483566a3001d088d92
                                                                                                                                                                                  • Opcode Fuzzy Hash: ec6d5e68239a8fd64e2f61c23397c604527ea817bc29ae7d62183104243c5598
                                                                                                                                                                                  • Instruction Fuzzy Hash: B8E065B0740234EAD7142A66BC4AFA7260CEB54726F940877F10A661D187BC1C40D66C
                                                                                                                                                                                  Function 0046C7D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • PrepareToInstall failed: %s, xrefs: 0046CB2E
                                                                                                                                                                                  • NextButtonClick, xrefs: 0046C90C
                                                                                                                                                                                  • Need to restart Windows? %s, xrefs: 0046CB55
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                                                                                                  • API String ID: 0-2329492092
                                                                                                                                                                                  • Opcode ID: ebfc2607376cb04f425a2d3c00381ecc1694a3302aa6984b8e16fe089a6463b4
                                                                                                                                                                                  • Instruction ID: 93777efb9077a0228fe374709ad1741880755db4a3f7640889f56f3bdeecc4c5
                                                                                                                                                                                  • Opcode Fuzzy Hash: ebfc2607376cb04f425a2d3c00381ecc1694a3302aa6984b8e16fe089a6463b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CD17F34A00108DFCB10EFA9C585AED7BF5EF49304F6444BAE444AB352E738AE45DB5A
                                                                                                                                                                                  Function 00484470 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetActiveWindow.USER32(?,?,00000000,004847C1), ref: 00484594
                                                                                                                                                                                  • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00484632
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ActiveChangeNotifyWindow
                                                                                                                                                                                  • String ID: $Need to restart Windows? %s
                                                                                                                                                                                  • API String ID: 1160245247-4200181552
                                                                                                                                                                                  • Opcode ID: 34477d42e93b382d78fd1b3fe4f375c07bfc6d549a7fd2ae5468f78b95871883
                                                                                                                                                                                  • Instruction ID: cbf7044c9224e5df34f4324165486d78489046a6efa1a602e4c0c9b5677eb74d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 34477d42e93b382d78fd1b3fe4f375c07bfc6d549a7fd2ae5468f78b95871883
                                                                                                                                                                                  • Instruction Fuzzy Hash: C591A334A042459FDB10FB66D885B9D77E0AF5A308F1444BBE800973A2D77CAD45CB5E
                                                                                                                                                                                  Function 00454868 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 200fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00454AAE,?,00000000,00454B22,?,?,-00000001,00000000,?,0047E107,00000000,0047E054,00000000), ref: 00454A8A
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,00454AB5,00454AAE,?,00000000,00454B22,?,?,-00000001,00000000,?,0047E107,00000000,0047E054,00000000,00000000), ref: 00454AA8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$CloseFileNext
                                                                                                                                                                                  • String ID: .H$ .H
                                                                                                                                                                                  • API String ID: 2066263336-1676226347
                                                                                                                                                                                  • Opcode ID: ff4ed68c57a0d298832a8e289a05f0a49072924424f8e3e4963c38c144bad6ce
                                                                                                                                                                                  • Instruction ID: 86a97b531f1ad2b4b7463d4220b8e0547854eedc1a857b6a9afda59406c2b972
                                                                                                                                                                                  • Opcode Fuzzy Hash: ff4ed68c57a0d298832a8e289a05f0a49072924424f8e3e4963c38c144bad6ce
                                                                                                                                                                                  • Instruction Fuzzy Hash: CF81A43490428DAFCF11DF65C8417EFBBB4AF89309F1440A6D8546B392C3399E8ACB58
                                                                                                                                                                                  Function 00470938 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00470B35,?,?,0049E1E4,00000000), ref: 00470A12
                                                                                                                                                                                  • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00470A8C
                                                                                                                                                                                  • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00470AB1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                                                                                                  • String ID: Creating directory: %s
                                                                                                                                                                                  • API String ID: 2451617938-483064649
                                                                                                                                                                                  • Opcode ID: 519d604a295cfca3f5bc7865948506fb75fa43ea9c4cb787d6d2d3d896bd866d
                                                                                                                                                                                  • Instruction ID: 27f0dcb835b35bf1686b0556d16ec1317b7bae4cbab61287d01ee882f408922b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 519d604a295cfca3f5bc7865948506fb75fa43ea9c4cb787d6d2d3d896bd866d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0251FE74E01248ABDB01DFA5C982BDEB7F5AF48308F50856AE844B7382D7785F04CB59
                                                                                                                                                                                  Function 0045553C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004555EA
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,004556B0), ref: 00455654
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressByteCharMultiProcWide
                                                                                                                                                                                  • String ID: SfcIsFileProtected$sfc.dll
                                                                                                                                                                                  • API String ID: 2508298434-591603554
                                                                                                                                                                                  • Opcode ID: f7e58a0fd106200e4f3bc04200b2cacc58717943215cb6059fe45d01fbc32bb5
                                                                                                                                                                                  • Instruction ID: f46810b5b314b431af4f43299c3fabe32507941823b9175d405aae5aeba4d308
                                                                                                                                                                                  • Opcode Fuzzy Hash: f7e58a0fd106200e4f3bc04200b2cacc58717943215cb6059fe45d01fbc32bb5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9141A470A00618AFEB20DF55DC95BAD77B8AB04319F5080B7E90CA7292D7789F48CE1D
                                                                                                                                                                                  Function 00452C54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • 751C1520.VERSION(00000000,?,?,?,?), ref: 00452C74
                                                                                                                                                                                  • 751C1500.VERSION(00000000,?,00000000,?,00000000,00452CEF,?,00000000,?,?,?,?), ref: 00452CA1
                                                                                                                                                                                  • 751C1540.VERSION(?,00452D18,?,?,00000000,?,00000000,?,00000000,00452CEF,?,00000000,?,?,?,?), ref: 00452CBB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: C1500C1520C1540
                                                                                                                                                                                  • String ID: )-E
                                                                                                                                                                                  • API String ID: 1315064709-3997256589
                                                                                                                                                                                  • Opcode ID: 1e3fa64680b4daa2d15fd70f35a4d6916cc241641b57064dc1621c371eabb0d9
                                                                                                                                                                                  • Instruction ID: 50707f88950aac898d8c4389756beb7c92bb5193b179b1fc1fca76f0aa7be7f8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e3fa64680b4daa2d15fd70f35a4d6916cc241641b57064dc1621c371eabb0d9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B219275A00648AFDB01DAA99D419AFB7FCEB4A301F554077FC00E3282D6B99E088769
                                                                                                                                                                                  Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExitMessageProcess
                                                                                                                                                                                  • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                  • API String ID: 1220098344-2970929446
                                                                                                                                                                                  • Opcode ID: 6146da9580bef9965da9cda28fdf8b1f09917d9546c5f1af2fde060953d626be
                                                                                                                                                                                  • Instruction ID: c00c8b1b907268fe45c84c5108a6570d36dd98a08fca56cdb76ff5d345661702
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6146da9580bef9965da9cda28fdf8b1f09917d9546c5f1af2fde060953d626be
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F21D360E452418ADB10AB75ED8171A3B8097F930CF04817BE700B73E2C67CD84687AE
                                                                                                                                                                                  Function 00450390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,00450469,?,?,?,?,00000000,00000000), ref: 004503F8
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,00450469,?,?,?,?,00000000,00000000), ref: 0045043E
                                                                                                                                                                                    • Part of subcall function 00450360: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00450378
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LibraryLoad$DirectorySystem
                                                                                                                                                                                  • String ID: RICHED20.DLL$RICHED32.DLL
                                                                                                                                                                                  • API String ID: 2630572097-740611112
                                                                                                                                                                                  • Opcode ID: 9fcc27b6184eb67fa55648afaa4eab07c2ec715cb05f6099bae96d6f0231ec87
                                                                                                                                                                                  • Instruction ID: 45d93e0d121fe09c7a50066aca23a685df4873c559958f5edeb39e7b45036801
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9fcc27b6184eb67fa55648afaa4eab07c2ec715cb05f6099bae96d6f0231ec87
                                                                                                                                                                                  • Instruction Fuzzy Hash: EB216374900108EFDB10FF61E846B5D77F8EB55319F50447BE500A6162D7785A49CF5C
                                                                                                                                                                                  Function 0042F188 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F201
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                    • Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                    • Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F1E4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                                                                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                  • API String ID: 395431579-1506664499
                                                                                                                                                                                  • Opcode ID: ef2fe5795da2c79bebcfc8bc045bc88b8cffcc678c25b10b165038ef52182f9f
                                                                                                                                                                                  • Instruction ID: f8fd25663858203a515409cfb2833324ac242db414aae85ffba9c986139a78a3
                                                                                                                                                                                  • Opcode Fuzzy Hash: ef2fe5795da2c79bebcfc8bc045bc88b8cffcc678c25b10b165038ef52182f9f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9701D274B00718EBE711DB65EC42B5E7BFCDB99704FE000B7B404A2291DAB99E48C62C
                                                                                                                                                                                  Function 004561AC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00456217,?,00000001,00000000), ref: 0045620A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • PendingFileRenameOperations2, xrefs: 004561EB
                                                                                                                                                                                  • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004561B8
                                                                                                                                                                                  • PendingFileRenameOperations, xrefs: 004561DC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                  • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                                                                                                  • API String ID: 47109696-2115312317
                                                                                                                                                                                  • Opcode ID: ff58e6e514d7c1611efeb73a4d2cf6eb9d9af067b9b8efd5cae166e7ece2cc9c
                                                                                                                                                                                  • Instruction ID: 13f9a8dc2762523c9d5034016e8e0e4cf56d15ba7b570f5b98feacd54ef34b89
                                                                                                                                                                                  • Opcode Fuzzy Hash: ff58e6e514d7c1611efeb73a4d2cf6eb9d9af067b9b8efd5cae166e7ece2cc9c
                                                                                                                                                                                  • Instruction Fuzzy Hash: F2F06271348204ABD714E6E69C13B5B739CD784B15FE284A6F80487982EA79AD14962C
                                                                                                                                                                                  Function 0046FC5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,VtG,?,0049E1E4,?,0046FF73,?,00000000,00470532,?,_is1), ref: 0046FC7F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                  • String ID: Inno Setup: Setup Version$VtG$I
                                                                                                                                                                                  • API String ID: 3702945584-29442299
                                                                                                                                                                                  • Opcode ID: 220c20457a03c4fc65b096bd6025ac965394d29a13c1efd5e5d1aadad6d68a6c
                                                                                                                                                                                  • Instruction ID: 298cf4f1533d54ab550fd3d15e19e6a926ba71f9f01c0afe6301adb1283b93e4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 220c20457a03c4fc65b096bd6025ac965394d29a13c1efd5e5d1aadad6d68a6c
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7E06D713013043BD710AA2BAC85F5BAADCDF987A5F00403AB948DB392D578ED0542A8
                                                                                                                                                                                  Function 00481008 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00481201), ref: 004810AE
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00481201), ref: 004810BB
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,004811D4,?,?,?,?,00000000,00481201), ref: 004811B0
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,004811DB,004811D4,?,?,?,?,00000000,00481201), ref: 004811CE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$CloseFileNext
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2066263336-0
                                                                                                                                                                                  • Opcode ID: 63da60fc703e6e8aa7dcaf1f4a84ca4d1db4635fe8be35313377f08196bdfc45
                                                                                                                                                                                  • Instruction ID: 32ce0b593b226a8a495a7b16ec3f8c392e3281c2b0d16565a73bd1b48714ff7d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 63da60fc703e6e8aa7dcaf1f4a84ca4d1db4635fe8be35313377f08196bdfc45
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95515E75A006489FCB10EF65CC45ADEB7BCEB89315F1045ABA808E7351D6389F86CF58
                                                                                                                                                                                  Function 004216C4 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetMenu.USER32(00000000), ref: 004217B1
                                                                                                                                                                                  • SetMenu.USER32(00000000,00000000), ref: 004217CE
                                                                                                                                                                                  • SetMenu.USER32(00000000,00000000), ref: 00421803
                                                                                                                                                                                  • SetMenu.USER32(00000000,00000000), ref: 0042181F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3711407533-0
                                                                                                                                                                                  • Opcode ID: a1d2f4484655de1d3fd0847b2328f430e3f40ab88dcc203f2c43afec94015a70
                                                                                                                                                                                  • Instruction ID: 73b485f7b17ee0b128820b03b0310e3fef403fa1ec291b42cca88d6787b8c394
                                                                                                                                                                                  • Opcode Fuzzy Hash: a1d2f4484655de1d3fd0847b2328f430e3f40ab88dcc203f2c43afec94015a70
                                                                                                                                                                                  • Instruction Fuzzy Hash: 44419E3070426407DB21BF3AA98579B66D55FA0308F4811BFE8458F3A3CA7CCC4A82AD
                                                                                                                                                                                  Function 00416F92 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(?,?,?,?), ref: 00416FD4
                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00416FEE
                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00417008
                                                                                                                                                                                  • CallWindowProcA.USER32(?,?,?,?,?), ref: 00417030
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Color$CallMessageProcSendTextWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 601730667-0
                                                                                                                                                                                  • Opcode ID: 49ac1906ee10618a7b6cf5a31eb6510ea09555bfd14ee65fb3a8138f39cbfa7e
                                                                                                                                                                                  • Instruction ID: 97657bf4431c68cea31458eff6611b8cbcc4ca9acdd3171e17da9912607f4e93
                                                                                                                                                                                  • Opcode Fuzzy Hash: 49ac1906ee10618a7b6cf5a31eb6510ea09555bfd14ee65fb3a8138f39cbfa7e
                                                                                                                                                                                  • Instruction Fuzzy Hash: CE114CB1604600AFD710EE6ECD84E87B7ECDF48310B14882AB55ADB612C62CE8818B69
                                                                                                                                                                                  Function 00423ED4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnumWindows.USER32(00423E6C), ref: 00423EF8
                                                                                                                                                                                  • GetWindow.USER32(?,00000003), ref: 00423F0D
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 00423F1C
                                                                                                                                                                                  • SetWindowPos.USER32(00000000,004245AC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004245FB,?,?,004241C3), ref: 00423F52
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$EnumLongWindows
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4191631535-0
                                                                                                                                                                                  • Opcode ID: da7c6a1f1adb1243b5fa3636d4e877867cfe7b0e5d1887425f7f41af5dac74a2
                                                                                                                                                                                  • Instruction ID: 800f3c7d6b650a9444741cf3b456662361ea129bec99247a5177c247b1bc03b7
                                                                                                                                                                                  • Opcode Fuzzy Hash: da7c6a1f1adb1243b5fa3636d4e877867cfe7b0e5d1887425f7f41af5dac74a2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B117071B04610ABDB109F28ED85F5673F4EB08715F12026AF9649B2E2C37CDD40CB58
                                                                                                                                                                                  Function 00423518 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0042356E
                                                                                                                                                                                  • EnumFontsA.GDI32(00000000,00000000,004234B8,004108B0,00000000,?,?,00000000,?,00419423,00000000,?,?,?,00000001), ref: 00423581
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423589
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00423594
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CapsDeviceEnumFontsRelease
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2698912916-0
                                                                                                                                                                                  • Opcode ID: bb643e78eddffdc26f40f16d9b8672dcc85dc1c54bcbb46a45d6df83db9bb269
                                                                                                                                                                                  • Instruction ID: 3e91f746c00fb2f600ae5fc17e333cd129bb14a9c5a67b8d5949c9a763c02f3d
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb643e78eddffdc26f40f16d9b8672dcc85dc1c54bcbb46a45d6df83db9bb269
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C019EB17457102AE710BF6A5C82B9B37A49F0531DF40427FF908AB3C2DA7E990547AE
                                                                                                                                                                                  Function 004556E4 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WaitForInputIdle.USER32(?,00000032), ref: 00455710
                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00455732
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00455741
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,0045576E,00455767,?,?,?,00000000,?,?,00455943,?,?,?,00000044,00000000,00000000), ref: 00455761
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4071923889-0
                                                                                                                                                                                  • Opcode ID: 0e2e22314dae304e5bf22728ddaa36dde328adca970e968fdbe7b68800f3fe31
                                                                                                                                                                                  • Instruction ID: d914ecb4f604d225e93de076450c6742835d04a0b91abb11bcb899d5d614385b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e2e22314dae304e5bf22728ddaa36dde328adca970e968fdbe7b68800f3fe31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6101B570A40A09FEEB20A7A58D16F7F7BADDB49760F610167F904D32C2C6789D00CA68
                                                                                                                                                                                  Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlInitializeCriticalSection.KERNEL32(0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0049D420,0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                  • LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0049D420,00401A89,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 730355536-0
                                                                                                                                                                                  • Opcode ID: 6924fe21b1383dcef356c9aa5819c214f6a77f33e1d4e548cd75cfb9fc70e511
                                                                                                                                                                                  • Instruction ID: 7339f3ebbe1eed2a5a633cb922c09bf0bd68a71b88021a6e55e3f3fb74b7268e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6924fe21b1383dcef356c9aa5819c214f6a77f33e1d4e548cd75cfb9fc70e511
                                                                                                                                                                                  • Instruction Fuzzy Hash: AB01CCB0E482405EFB19AF699902B293FD4D799748F51803BF441A7AF1CA7C6840CB2E
                                                                                                                                                                                  Function 0047E054 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$CountSleepTick
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2227064392-0
                                                                                                                                                                                  • Opcode ID: 22ddb9d6ab121fa8b7aad317e9abd2d9173961abc661a66fb327fe759d7b9ec5
                                                                                                                                                                                  • Instruction ID: 9be5390d37519caeffefa09d8943b7800c28e667e42796fceef54f4227176e6c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 22ddb9d6ab121fa8b7aad317e9abd2d9173961abc661a66fb327fe759d7b9ec5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 28E0E5213092A855C63035BB58C26AF45C9DA89768B244ABFE088D6283C89C4C05652E
                                                                                                                                                                                  Function 0045CA60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00451070: SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077
                                                                                                                                                                                  • FlushFileBuffers.KERNEL32(?), ref: 0045CC95
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • NumRecs range exceeded, xrefs: 0045CB92
                                                                                                                                                                                  • EndOffset range exceeded, xrefs: 0045CBC9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$BuffersFlush
                                                                                                                                                                                  • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                                                                                                  • API String ID: 3593489403-659731555
                                                                                                                                                                                  • Opcode ID: 2260f6877304dea45ba359fb37d430195bc0a3511ff8112a2360352fa9564334
                                                                                                                                                                                  • Instruction ID: 609741d3f79eabe780872f94ce4b5bf90fe53003262008b9b2f446b63576a9fa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2260f6877304dea45ba359fb37d430195bc0a3511ff8112a2360352fa9564334
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E615234A002588FDB25DF25D881BDAB7B5EF49305F0084DAED899B352D6B4AEC8CF54
                                                                                                                                                                                  Function 00484978 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetForegroundWindow.USER32(00000000,00484B02,?,00000000,00484B43,?,?,?,?,00000000,00000000,00000000,?,0046CA59), ref: 004849B1
                                                                                                                                                                                  • SetActiveWindow.USER32(?,00000000,00484B02,?,00000000,00484B43,?,?,?,?,00000000,00000000,00000000,?,0046CA59), ref: 004849C3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Will not restart Windows automatically., xrefs: 00484AE2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$ActiveForeground
                                                                                                                                                                                  • String ID: Will not restart Windows automatically.
                                                                                                                                                                                  • API String ID: 307657957-4169339592
                                                                                                                                                                                  • Opcode ID: 611cf57aec86bfea3a2af854023c09e37a5beb60966471ff9b2a299e19d7bf06
                                                                                                                                                                                  • Instruction ID: e3ffbfa0a86cb08642d5b37a1a1eca219a4b332c0ee086946791bcc458de558f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 611cf57aec86bfea3a2af854023c09e37a5beb60966471ff9b2a299e19d7bf06
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64415930644245EFD714FFA6EC05B6E7BE4D795308F1948B7E8405B392E2BC9800971E
                                                                                                                                                                                  Function 0049A490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049A49E), ref: 0040334B
                                                                                                                                                                                    • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049A49E), ref: 00403356
                                                                                                                                                                                    • Part of subcall function 004063F4: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 0040640F
                                                                                                                                                                                    • Part of subcall function 004063F4: GetVersion.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406416
                                                                                                                                                                                    • Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040642B
                                                                                                                                                                                    • Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406453
                                                                                                                                                                                    • Part of subcall function 00406814: 6F9C1CD0.COMCTL32(0049A4AD), ref: 00406814
                                                                                                                                                                                    • Part of subcall function 00410BB4: GetCurrentThreadId.KERNEL32 ref: 00410C02
                                                                                                                                                                                    • Part of subcall function 00419490: GetVersion.KERNEL32(0049A4C6), ref: 00419490
                                                                                                                                                                                    • Part of subcall function 0044FD1C: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049A4DA), ref: 0044FD57
                                                                                                                                                                                    • Part of subcall function 0044FD1C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FD5D
                                                                                                                                                                                    • Part of subcall function 004501E8: GetVersionExA.KERNEL32(0049D794,0049A4DF), ref: 004501F7
                                                                                                                                                                                    • Part of subcall function 00453934: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453956
                                                                                                                                                                                    • Part of subcall function 00453934: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045395C
                                                                                                                                                                                    • Part of subcall function 00453934: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453970
                                                                                                                                                                                    • Part of subcall function 00453934: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453976
                                                                                                                                                                                    • Part of subcall function 00457850: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004578AA
                                                                                                                                                                                    • Part of subcall function 00465214: LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,0046528A,?,?,?,?,00000000,00000000,?,0049A502), ref: 0046525F
                                                                                                                                                                                    • Part of subcall function 00465214: GetProcAddress.KERNEL32(00000000,00000000), ref: 00465265
                                                                                                                                                                                    • Part of subcall function 0046DAB0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046DAFB
                                                                                                                                                                                    • Part of subcall function 00479E68: GetModuleHandleA.KERNEL32(kernel32.dll,?,0049A50C), ref: 00479E6E
                                                                                                                                                                                    • Part of subcall function 00479E68: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00479E7B
                                                                                                                                                                                    • Part of subcall function 00479E68: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00479E8B
                                                                                                                                                                                    • Part of subcall function 00485374: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00485485
                                                                                                                                                                                    • Part of subcall function 0049749C: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004974B5
                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,0049A554), ref: 0049A526
                                                                                                                                                                                    • Part of subcall function 0049A250: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049A530,00000001,00000000,0049A554), ref: 0049A25A
                                                                                                                                                                                    • Part of subcall function 0049A250: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049A260
                                                                                                                                                                                    • Part of subcall function 00424924: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424943
                                                                                                                                                                                    • Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,00000000,0049A554), ref: 0049A587
                                                                                                                                                                                    • Part of subcall function 004839B4: SetActiveWindow.USER32(?), ref: 00483A62
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModule$VersionWindow$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
                                                                                                                                                                                  • String ID: Setup
                                                                                                                                                                                  • API String ID: 56708735-3839654196
                                                                                                                                                                                  • Opcode ID: cdfde2e51fe0698aa6b85e30c0a1c237bbea7d7fd99d79f8e074734ecee56c62
                                                                                                                                                                                  • Instruction ID: 2627a5300f3eb19f067de96b875d46ae0be93d5911e26a22e66c9acfb87dca20
                                                                                                                                                                                  • Opcode Fuzzy Hash: cdfde2e51fe0698aa6b85e30c0a1c237bbea7d7fd99d79f8e074734ecee56c62
                                                                                                                                                                                  • Instruction Fuzzy Hash: AA31B3712046409EDB01BBB7AC1391D3BA8EB8971CB62487FF90486563DE3D5C24867F
                                                                                                                                                                                  Function 0045418C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045427B,?,?,00000000,0049D62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004541D2
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,00000000,0045427B,?,?,00000000,0049D62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004541DB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                  • String ID: .tmp
                                                                                                                                                                                  • API String ID: 1375471231-2986845003
                                                                                                                                                                                  • Opcode ID: 6f4460bb771477b2532cc418dcf8c2749320d1c4241bb26b34006b525e4e1938
                                                                                                                                                                                  • Instruction ID: f8da180511d522ff1cc3db6e91f047bd7ddaecfb92c8c1642a91e8309ff3a61b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f4460bb771477b2532cc418dcf8c2749320d1c4241bb26b34006b525e4e1938
                                                                                                                                                                                  • Instruction Fuzzy Hash: 19214E75A002189BDB01EFA1C8465DEB7BDEF44305F50457BF801B7382D67C5E458BA9
                                                                                                                                                                                  Function 00485374 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00484E68: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00484E79
                                                                                                                                                                                    • Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484E86
                                                                                                                                                                                    • Part of subcall function 00484E68: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484E94
                                                                                                                                                                                    • Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00484E9C
                                                                                                                                                                                    • Part of subcall function 00484E68: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00484EA8
                                                                                                                                                                                    • Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00484EC9
                                                                                                                                                                                    • Part of subcall function 00484E68: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00484EDC
                                                                                                                                                                                    • Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00484EE2
                                                                                                                                                                                    • Part of subcall function 00485194: GetVersionExA.KERNEL32(?,004853AA,00000000,004854AA,?,?,?,?,00000000,00000000,?,0049A511), ref: 004851A2
                                                                                                                                                                                    • Part of subcall function 00485194: GetVersionExA.KERNEL32(0000009C,?,004853AA,00000000,004854AA,?,?,?,?,00000000,00000000,?,0049A511), ref: 004851F4
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                    • Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                    • Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00485485
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModuleSystemVersion$CurrentDirectoryErrorInfoLibraryLoadModeNativeProcess
                                                                                                                                                                                  • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                                                                                                  • API String ID: 1303913335-2936008475
                                                                                                                                                                                  • Opcode ID: 8d9af6f5cb47815f3ef02b670df531d4aca205f4dd503ff5ab0741a2b0aad5e0
                                                                                                                                                                                  • Instruction ID: 7070cd684f6103364e9f8a31a7d8965128adaac247882cc77746aeeddc076857
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d9af6f5cb47815f3ef02b670df531d4aca205f4dd503ff5ab0741a2b0aad5e0
                                                                                                                                                                                  • Instruction Fuzzy Hash: F9215E70600200ABC711FFAF995674E37A4EB9570CB51993FF400AB2D1D77DA8059B6E
                                                                                                                                                                                  Function 0042E1B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042E1C8
                                                                                                                                                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042E208
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$EnumQuery
                                                                                                                                                                                  • String ID: Inno Setup: No Icons
                                                                                                                                                                                  • API String ID: 1576479698-2016326496
                                                                                                                                                                                  • Opcode ID: 5fa1588eb3983bc8147b11ac52db8119f930d32b550c0df0fd023eaaf2352da0
                                                                                                                                                                                  • Instruction ID: e7333c3f072e055346127a6a42ec618886ffe365ff3054ef7f5207155727e60c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fa1588eb3983bc8147b11ac52db8119f930d32b550c0df0fd023eaaf2352da0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C01DB32745371A9F73145137D41B7B65CC8B42B60F64057BF941FA2C1DA68AC0592BE
                                                                                                                                                                                  Function 0045304C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,00000000,004530A9,?,-00000001,?), ref: 00453083
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,004530A9,?,-00000001,?), ref: 0045308B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DeleteErrorFileLast
                                                                                                                                                                                  • String ID: @8H
                                                                                                                                                                                  • API String ID: 2018770650-3762495883
                                                                                                                                                                                  • Opcode ID: a1fb3666b45fe32249cf4b68f1752c0b17d8b18f48336da527a90bea16c05efb
                                                                                                                                                                                  • Instruction ID: 483a50349848f844724b37c9089874c2f5155cc8dca7ffd3c90c1c5b4081c312
                                                                                                                                                                                  • Opcode Fuzzy Hash: a1fb3666b45fe32249cf4b68f1752c0b17d8b18f48336da527a90bea16c05efb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 74F0C871A04708AFCB01DFB9AC4249EB7ECDB0975675045B7FC04E3282EB785F188599
                                                                                                                                                                                  Function 00453554 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,00000000,004535B1,?,-00000001,00000000), ref: 0045358B
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,004535B1,?,-00000001,00000000), ref: 00453593
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DirectoryErrorLastRemove
                                                                                                                                                                                  • String ID: @8H
                                                                                                                                                                                  • API String ID: 377330604-3762495883
                                                                                                                                                                                  • Opcode ID: ed9ee3e2dc24464d0c236720d007919d28e5762e289691b171a35ab4808c6178
                                                                                                                                                                                  • Instruction ID: 7fd71ab76445d730fbf8dcc8275d2678ef65a3f2b88ec35f2c7a4b5c8e56db9b
                                                                                                                                                                                  • Opcode Fuzzy Hash: ed9ee3e2dc24464d0c236720d007919d28e5762e289691b171a35ab4808c6178
                                                                                                                                                                                  • Instruction Fuzzy Hash: B2F0C271A04608BBCB01EFB9AC4249EB7E8EB0975675049BBFC04E3242F7785F088598
                                                                                                                                                                                  Function 00457850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004577E0: CoInitialize.OLE32(00000000), ref: 004577E6
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                    • Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                    • Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004578AA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressDirectoryErrorInitializeLibraryLoadModeProcSystem
                                                                                                                                                                                  • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                                                                                                  • API String ID: 1013667774-2320870614
                                                                                                                                                                                  • Opcode ID: f768b6972bd4a9b7486ce10d9acfcd5e81d127b13faf4c2cc7ed9affc27adf63
                                                                                                                                                                                  • Instruction ID: 9566a5db5de29e1f96e1247fa15de811f0c6c8f84fbefe9709ba2c3b4718617c
                                                                                                                                                                                  • Opcode Fuzzy Hash: f768b6972bd4a9b7486ce10d9acfcd5e81d127b13faf4c2cc7ed9affc27adf63
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DF03670604608BBE701FBA6E842F5D7BACDB45759F604477B800A6592D67CAE04C92D
                                                                                                                                                                                  Function 0046DAB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                    • Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                    • Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046DAFB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
                                                                                                                                                                                  • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                                                                                  • API String ID: 2552568031-2683653824
                                                                                                                                                                                  • Opcode ID: d5f4c7af768d16b3b5c6a86f87ef45a876fa3cc5c322967070caf22bd86c78e1
                                                                                                                                                                                  • Instruction ID: 91b75a77547c13e1772f921c750cf7bd45708da1ec0dc58a0f4cb33c0377533c
                                                                                                                                                                                  • Opcode Fuzzy Hash: d5f4c7af768d16b3b5c6a86f87ef45a876fa3cc5c322967070caf22bd86c78e1
                                                                                                                                                                                  • Instruction Fuzzy Hash: B5F04430B04608BBD700EF52DC52F5DBBACEB45B14FA14076B40067595E678AE048A2D
                                                                                                                                                                                  Function 0047D8E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047DC36,00000000,0047DC4C), ref: 0047D946
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                  • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                                                                                                  • API String ID: 3535843008-1113070880
                                                                                                                                                                                  • Opcode ID: 7cf81886a3be2ea0676bdb419752ec839da85decb879fef784735e22499dae0c
                                                                                                                                                                                  • Instruction ID: 03cfcff152a519ea80d4f5543ba1c5a79f91faf414c5488bd5ec988fdc31f9f9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cf81886a3be2ea0676bdb419752ec839da85decb879fef784735e22499dae0c
                                                                                                                                                                                  • Instruction Fuzzy Hash: B6F0BBB0B042449BDB04D667AC93BDB37B9CB41308F24847BA2459B392D67C9D00D75D
                                                                                                                                                                                  Function 004763E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047661B), ref: 00476409
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047661B), ref: 00476420
                                                                                                                                                                                    • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                                  • String ID: CreateFile
                                                                                                                                                                                  • API String ID: 2528220319-823142352
                                                                                                                                                                                  • Opcode ID: dfe37b7c2a5045629fd8e0b2a77d405f8cad1a2ae405d18a87ba2f0597c9e29b
                                                                                                                                                                                  • Instruction ID: 7bcc5fcb2fff494360280e2963ad1350d0a4ff74aab44489db68ce07f01780cc
                                                                                                                                                                                  • Opcode Fuzzy Hash: dfe37b7c2a5045629fd8e0b2a77d405f8cad1a2ae405d18a87ba2f0597c9e29b
                                                                                                                                                                                  • Instruction Fuzzy Hash: CDE06D302403447BEA20EB69DCC6F4A77D89B04738F108161FA48AF3E2C6B9EC408A5C
                                                                                                                                                                                  Function 0046FCCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0047034A,?,?,00000000,00470532,?,_is1,?), ref: 0046FCDF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value
                                                                                                                                                                                  • String ID: NoModify$I
                                                                                                                                                                                  • API String ID: 3702945584-1047506205
                                                                                                                                                                                  • Opcode ID: 723ef71d5639e3177528866127dac4334c6cdde24b768028f54f947eaa08958f
                                                                                                                                                                                  • Instruction ID: 74656710be1799963dacf24c43606be2f52e229709c8467fcc2139d849b5a3c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 723ef71d5639e3177528866127dac4334c6cdde24b768028f54f947eaa08958f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1AE04FB0640308BFEB04DB55DD4AF6BB7ACDB48750F104059BA44DB381EA74FE008658
                                                                                                                                                                                  Function 00483068 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemMenu.USER32(00000000,00000000,00000000,004831A0), ref: 00483138
                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00483149
                                                                                                                                                                                  • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00483161
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$Append$System
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1489644407-0
                                                                                                                                                                                  • Opcode ID: b1581a0f06f3993262020228058a878573e1761b052ad4db3e08fed4fbd829c7
                                                                                                                                                                                  • Instruction ID: 62bbcf7b8eda1c1d1fe504de26200215c04982407344b62899e0b3f82f18d8db
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1581a0f06f3993262020228058a878573e1761b052ad4db3e08fed4fbd829c7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6431B0707083445AD710FF368C86B9E7A945B55B08F44593FB9009B3E3CA7D9E09876D
                                                                                                                                                                                  Function 0044B82C Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0044B8A1
                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0044B8C4
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0044B8F7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ObjectReleaseSelect
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1831053106-0
                                                                                                                                                                                  • Opcode ID: aebefea9080a2ffce71cc44d900bb6067fbd40711943de4e6aa6f899a124bbe5
                                                                                                                                                                                  • Instruction ID: 488fbe92d3dbd6553530e1f28a7071e145c326c324a604cd7e83169de99d3e99
                                                                                                                                                                                  • Opcode Fuzzy Hash: aebefea9080a2ffce71cc44d900bb6067fbd40711943de4e6aa6f899a124bbe5
                                                                                                                                                                                  • Instruction Fuzzy Hash: B321A470E043086FEB05EFA5C841B9EBBB8EB48304F0184BAF504A6292D73CD940CB58
                                                                                                                                                                                  Function 0044B560 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B5EC,?,004839CF,?,?), ref: 0044B5BE
                                                                                                                                                                                  • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B5D1
                                                                                                                                                                                  • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B605
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DrawText$ByteCharMultiWide
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 65125430-0
                                                                                                                                                                                  • Opcode ID: 220ba5cac8d50b27136c7947ff428b4d5b30f8bb344e0136b885afe7086c5f85
                                                                                                                                                                                  • Instruction ID: c4c5e2dbcf53f363daa0ac06871d419456bbfc1076f0fbe0a6f7c1d9791685bd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 220ba5cac8d50b27136c7947ff428b4d5b30f8bb344e0136b885afe7086c5f85
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1011CBB27045047FE711DB5A9C81D6FB7ECEB89714F10417BF514D72D0D6389E018669
                                                                                                                                                                                  Function 0042484C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424862
                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 004248DF
                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 004248E9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Message$DispatchPeekTranslate
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4217535847-0
                                                                                                                                                                                  • Opcode ID: 1d5f45652bc976909b78a8fda5e55899e4ac3f100e933d79a059951e0026f3ac
                                                                                                                                                                                  • Instruction ID: c7af1bd1b10d32b98fa997e15213bd70182e4a6faef26a56c53dd2d0e562e7a0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d5f45652bc976909b78a8fda5e55899e4ac3f100e933d79a059951e0026f3ac
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7111C4343143905AEA20F664A94179B73D4DFD1B04F81481FF8D947382D3BD9D49876B
                                                                                                                                                                                  Function 00470B6C Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00470BC6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Failed to set permissions on directory (%d)., xrefs: 00470BD7
                                                                                                                                                                                  • Setting permissions on directory: %s, xrefs: 00470B8C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID: Failed to set permissions on directory (%d).$Setting permissions on directory: %s
                                                                                                                                                                                  • API String ID: 1452528299-3781482204
                                                                                                                                                                                  • Opcode ID: bb3ebb20d34bd3feb010505e942ac3353de8da3b20606f8c2e5495aa89b54d69
                                                                                                                                                                                  • Instruction ID: 32490694418421bb1a17b28030c0e0f623746775d98a4406e0272f03b74d8531
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb3ebb20d34bd3feb010505e942ac3353de8da3b20606f8c2e5495aa89b54d69
                                                                                                                                                                                  • Instruction Fuzzy Hash: F6016730E041449BCB04D7BE94826DDB7E89F4D318F5086BFB418E7392DA795E05879D
                                                                                                                                                                                  Function 00416A94 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetPropA.USER32(00000000,00000000), ref: 00416ABA
                                                                                                                                                                                  • SetPropA.USER32(00000000,00000000), ref: 00416ACF
                                                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416AF6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Prop$Window
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3363284559-0
                                                                                                                                                                                  • Opcode ID: 120d831fd0e7c0f5eedd88e24305ab6ef8b5e2b9243d669fe5121d0f27645725
                                                                                                                                                                                  • Instruction ID: ba7ff3a79511e9fd345c6eb2e7309737472e1a66b8435aad7f351e84ed883601
                                                                                                                                                                                  • Opcode Fuzzy Hash: 120d831fd0e7c0f5eedd88e24305ab6ef8b5e2b9243d669fe5121d0f27645725
                                                                                                                                                                                  • Instruction Fuzzy Hash: 24F0B271701210ABD710AB698C85FA636ECAF0D755F16417ABA05EF286C679DC4087A8
                                                                                                                                                                                  Function 0041F2A4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 0041F2B4
                                                                                                                                                                                  • IsWindowEnabled.USER32(?), ref: 0041F2BE
                                                                                                                                                                                  • EnableWindow.USER32(?,00000000), ref: 0041F2E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$EnableEnabledVisible
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3234591441-0
                                                                                                                                                                                  • Opcode ID: f8c63cb9eb03fe3057432f7fc847cbb230a844cb3caf0d06e376941515be7c19
                                                                                                                                                                                  • Instruction ID: f88b3158499dd9289c75302ad3040ea965d59b676cda83e5cbf87f6be83bac28
                                                                                                                                                                                  • Opcode Fuzzy Hash: f8c63cb9eb03fe3057432f7fc847cbb230a844cb3caf0d06e376941515be7c19
                                                                                                                                                                                  • Instruction Fuzzy Hash: 56E06D74200200ABE310AB26ED81A56779CEB10314F118437A849AB293D63AD8458ABC
                                                                                                                                                                                  Function 0046ABA0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetActiveWindow.USER32(?), ref: 0046ACB1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ActiveWindow
                                                                                                                                                                                  • String ID: PrepareToInstall
                                                                                                                                                                                  • API String ID: 2558294473-1101760603
                                                                                                                                                                                  • Opcode ID: 93c2ced9901b78990d4c7008f4db33b899a7a6d11fefccccc113996b0ad24cf6
                                                                                                                                                                                  • Instruction ID: fdee18710babf5e336c1910aeb408bf0e6a903f892d838ad66a8bf575b9628a0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 93c2ced9901b78990d4c7008f4db33b899a7a6d11fefccccc113996b0ad24cf6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 90A10C74A00109DFCB00EF99D886E9EB7F5AF48304F5540B6E404AB366D738AE45DB5A
                                                                                                                                                                                  Function 0046D17C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: /:*?"<>|
                                                                                                                                                                                  • API String ID: 0-4078764451
                                                                                                                                                                                  • Opcode ID: ceb3f76dddb8c4f3c05b9d1c15b0c50ece1c75124130fc1418fa8c0e44e40a18
                                                                                                                                                                                  • Instruction ID: f677315d7a897bddb44220e636167c4a4d5a92338f94b0a6c85659efeb8beb4e
                                                                                                                                                                                  • Opcode Fuzzy Hash: ceb3f76dddb8c4f3c05b9d1c15b0c50ece1c75124130fc1418fa8c0e44e40a18
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95719770F04208ABDB10EB66DC92F9E77A15B41308F1480A7F900BB392E6B99D45875F
                                                                                                                                                                                  Function 004839B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetActiveWindow.USER32(?), ref: 00483A62
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ActiveWindow
                                                                                                                                                                                  • String ID: InitializeWizard
                                                                                                                                                                                  • API String ID: 2558294473-2356795471
                                                                                                                                                                                  • Opcode ID: 8c31a081f099e9809beeea3f27c08756d23f8c24eaac549991aa8419c0c9ea60
                                                                                                                                                                                  • Instruction ID: 9a8fbe648e99d25b3c1ebd2b051959da3f81131ff902f8f70686133b91dd172c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c31a081f099e9809beeea3f27c08756d23f8c24eaac549991aa8419c0c9ea60
                                                                                                                                                                                  • Instruction Fuzzy Hash: BD119170608104DFD704EF2AFC85B597BE8E714718F22847BE544872A2EBB96D00DB6D
                                                                                                                                                                                  Function 0047E0A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Failed to remove temporary directory: , xrefs: 0047E10B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CountTick
                                                                                                                                                                                  • String ID: Failed to remove temporary directory:
                                                                                                                                                                                  • API String ID: 536389180-3544197614
                                                                                                                                                                                  • Opcode ID: 9feb2f6085af5a8b024ba5244f206146ce975ac7a9d5adcf9a00534459b24a1c
                                                                                                                                                                                  • Instruction ID: ac5e1a37918f7d070e72ace47ef54387b1d6805ebc6ff4ed15476670fa48ed12
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9feb2f6085af5a8b024ba5244f206146ce975ac7a9d5adcf9a00534459b24a1c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A017930604204AADB11EB73DC47FDA3798DB49709F6089BBB504B62E2DBBC9D04D55C
                                                                                                                                                                                  Function 0047D800 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047DA4C,00000000,0047DC4C), ref: 0047D845
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047D815
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                  • API String ID: 47109696-1019749484
                                                                                                                                                                                  • Opcode ID: ec998cb2005931f9a5bd83814b3b68d5548767ad80e13f0d82a29780648ed5d1
                                                                                                                                                                                  • Instruction ID: 9e1ac37bc360ea69ca44dde089ba04ba4b826bb97de6a423fadd5e819c649f8f
                                                                                                                                                                                  • Opcode Fuzzy Hash: ec998cb2005931f9a5bd83814b3b68d5548767ad80e13f0d82a29780648ed5d1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 09F08231B04114A7DB00B69A9C42BAEA7AC8F84758F20807BF519EB242D9B99E0143AD
                                                                                                                                                                                  Function 0042E26C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • System\CurrentControlSet\Control\Windows, xrefs: 0042E286
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                  • String ID: System\CurrentControlSet\Control\Windows
                                                                                                                                                                                  • API String ID: 71445658-1109719901
                                                                                                                                                                                  • Opcode ID: ba599b357b8d4751e1ab922ebb55064d8a8854d38c942fc45e646e4ab9ecaa7b
                                                                                                                                                                                  • Instruction ID: 65e6a506820a5022674633d18044d67bbd02e357da0c4a821f6ebd0b5300d4b8
                                                                                                                                                                                  • Opcode Fuzzy Hash: ba599b357b8d4751e1ab922ebb55064d8a8854d38c942fc45e646e4ab9ecaa7b
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7D09272910228BBAB009A89DC41DFB77ADDB1A760F80806AF91897241D2B4AC519BF4
                                                                                                                                                                                  Function 0047F778 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetACP.KERNEL32(?,?,00000001,00000000,0047FA57,?,-0000001A,00481956,-00000010,?,00000004,0000001C,00000000,00481CA3,?,0045E364), ref: 0047F7EE
                                                                                                                                                                                    • Part of subcall function 0042E76C: GetDC.USER32(00000000), ref: 0042E77B
                                                                                                                                                                                    • Part of subcall function 0042E76C: EnumFontsA.GDI32(?,00000000,0042E758,00000000,00000000,0042E7C4,?,00000000,00000000,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0042E7A6
                                                                                                                                                                                    • Part of subcall function 0042E76C: ReleaseDC.USER32(00000000,?), ref: 0042E7BE
                                                                                                                                                                                  • SendNotifyMessageA.USER32(000104A6,00000496,00002711,-00000001), ref: 0047F9BE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2649214853-0
                                                                                                                                                                                  • Opcode ID: f63ddfb2871cf1e66e6cb65ad1930d9627398cbe91e727e5a4f1e93d11453290
                                                                                                                                                                                  • Instruction ID: 2351f95844d6f0f86e4a4553bb1ee5652cba21286aa46acec5315b7e6dd2a420
                                                                                                                                                                                  • Opcode Fuzzy Hash: f63ddfb2871cf1e66e6cb65ad1930d9627398cbe91e727e5a4f1e93d11453290
                                                                                                                                                                                  • Instruction Fuzzy Hash: 865196B46001009BD710FF26D98179A37A9EB54309B50C53BA4099F3A7CB3CED4ACB9E
                                                                                                                                                                                  Function 00402088 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0049D420,00000000,004021FC), ref: 004020CB
                                                                                                                                                                                    • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                    • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049D420,0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                    • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                    • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049D420,00401A89,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 296031713-0
                                                                                                                                                                                  • Opcode ID: d8e299963bb2c4fed4ff4e3414f532efba3796fb7efe986e1124fe849202073f
                                                                                                                                                                                  • Instruction ID: 28de6049d60bc6243b4bd9e8b7e4b04bc6e7afcf6678d0e749794f980a6998b8
                                                                                                                                                                                  • Opcode Fuzzy Hash: d8e299963bb2c4fed4ff4e3414f532efba3796fb7efe986e1124fe849202073f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D41C4B2E003019FDB10CF69DE8521A77A4F7A9328F15417BD954A77E1D378A842CB48
                                                                                                                                                                                  Function 0042E050 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042E188), ref: 0042E08C
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042E188), ref: 0042E0FC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3660427363-0
                                                                                                                                                                                  • Opcode ID: fb659fd4e3abd397cfb8b0300bb5eb5c22831bf077ba98013b241e0a6da047f3
                                                                                                                                                                                  • Instruction ID: f9a1da9ca9b7937b0bb3d9b331acc3eaa2fb365deabda7ea02547e95fe34f262
                                                                                                                                                                                  • Opcode Fuzzy Hash: fb659fd4e3abd397cfb8b0300bb5eb5c22831bf077ba98013b241e0a6da047f3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 77415E71E00129ABDB11DF92D881BBFB7B9EB01704F944576E814F7281D778AE01CBA9
                                                                                                                                                                                  Function 0042E310 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042E426,?,?,00000008,00000000,00000000,0042E453), ref: 0042E3BC
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,0042E42D,?,00000000,00000000,00000000,00000000,00000000,0042E426,?,?,00000008,00000000,00000000,0042E453), ref: 0042E420
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseEnum
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2818636725-0
                                                                                                                                                                                  • Opcode ID: 12af2234252c6635c6b1f59e1ede94e8800845c8a1cfa180ead54c6a4d49dc27
                                                                                                                                                                                  • Instruction ID: a18f9d464683a8b418f1d9d9c182c699679c3713f239d59a614a00dbe2042668
                                                                                                                                                                                  • Opcode Fuzzy Hash: 12af2234252c6635c6b1f59e1ede94e8800845c8a1cfa180ead54c6a4d49dc27
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E318670B04254AFDB11EBA3EC52BBFBBB9EB45305F90447BE500B3291D6785E01CA29
                                                                                                                                                                                  Function 00452F2C Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458A74,00000000,00458A5C,?,?,?,00000000,00452FA6,?,?,?,00000001), ref: 00452F80
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,00458A74,00000000,00458A5C,?,?,?,00000000,00452FA6,?,?,?,00000001), ref: 00452F88
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateErrorLastProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2919029540-0
                                                                                                                                                                                  • Opcode ID: 1398244007b20135f5cbcb84ec70d62da1e947103cbbdaeddf7845a69a56a8f1
                                                                                                                                                                                  • Instruction ID: 1642ece03f316e66375c060ca7626bc18a341a32778e3b1f8c5ba0bc81bd916e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1398244007b20135f5cbcb84ec70d62da1e947103cbbdaeddf7845a69a56a8f1
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7112772A04208AF8B40DEA9ED41D9FB7ECEB4E310B11456BBD08D3241D678AD159B68
                                                                                                                                                                                  Function 0040B228 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040B242
                                                                                                                                                                                  • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B39F,00000000,0040B3B7,?,?,?,00000000), ref: 0040B253
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Resource$FindFree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4097029671-0
                                                                                                                                                                                  • Opcode ID: ccfb53ccaaecadb89aef38a6b87b21aaaa45f6b87b20848e9e6dd1c8ee0e0d8f
                                                                                                                                                                                  • Instruction ID: 99f6b945ddddc3ffa7954b5b99b0f089effa67c77682540e1bcd22500dccd1d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: ccfb53ccaaecadb89aef38a6b87b21aaaa45f6b87b20848e9e6dd1c8ee0e0d8f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9101F7717043006FE700EF69DC52D1A77ADDB89718711807AF500EB2D0D63D9C0196AD
                                                                                                                                                                                  Function 0041F2F4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0041F343
                                                                                                                                                                                  • EnumThreadWindows.USER32(00000000,0041F2A4,00000000), ref: 0041F349
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$CurrentEnumWindows
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2396873506-0
                                                                                                                                                                                  • Opcode ID: 26a01034718a754fac2428515d88d868d648ddf0343dd67eaafc6563d075de98
                                                                                                                                                                                  • Instruction ID: ded2603fe903b3ccb75c053802ed51acc4a1ef0e0cc57bb05547c7342bcbb188
                                                                                                                                                                                  • Opcode Fuzzy Hash: 26a01034718a754fac2428515d88d868d648ddf0343dd67eaafc6563d075de98
                                                                                                                                                                                  • Instruction Fuzzy Hash: B2016D74A04B08BFD301CF66ED1195ABBF8F749724B22C877E854D3AA0E73459119E58
                                                                                                                                                                                  Function 004533C4 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 00453406
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,0045342C), ref: 0045340E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastMove
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 55378915-0
                                                                                                                                                                                  • Opcode ID: 1548faf8a9677bd12e98f2e2d243f9d82652a592f520366f9bcd72908c48431c
                                                                                                                                                                                  • Instruction ID: 0cc30b72992c59045a3cb8216ce3619e412531a307d766600c380e57d1775dbb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1548faf8a9677bd12e98f2e2d243f9d82652a592f520366f9bcd72908c48431c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6101D671B04204BB8701EFB9AC4249EB7ECDB49766760457BFC04E3242EA789F088558
                                                                                                                                                                                  Function 00452EB4 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00452F13), ref: 00452EED
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00452F13), ref: 00452EF5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1375471231-0
                                                                                                                                                                                  • Opcode ID: 7cb2c570ac219d0ee22c88f96f5bf87a62d98c3fd0f6f1ca7cf3871b5df67843
                                                                                                                                                                                  • Instruction ID: 89335b5e5455deb896f2d2efe83bb95299e3db0618b413de6719cdd134c6b725
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cb2c570ac219d0ee22c88f96f5bf87a62d98c3fd0f6f1ca7cf3871b5df67843
                                                                                                                                                                                  • Instruction Fuzzy Hash: CEF02872A04304BBCB01EF75AD0259EB3E8DB0A321B5045BBFC04E3282E7B94E049698
                                                                                                                                                                                  Function 00453224 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00453283,?,?,00000000), ref: 0045325D
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00453283,?,?,00000000), ref: 00453265
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesErrorFileLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1799206407-0
                                                                                                                                                                                  • Opcode ID: 93a4445a77e87f832db48cc37b7d9a5725dfb79c3c3b600bc74ddeadc40bd50e
                                                                                                                                                                                  • Instruction ID: 5db4c9d18fff2c699384bf48158aad256892f70ed416b0cdc9347702aa33957f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 93a4445a77e87f832db48cc37b7d9a5725dfb79c3c3b600bc74ddeadc40bd50e
                                                                                                                                                                                  • Instruction Fuzzy Hash: D5F0FC71A04B04ABCB10DFB9AD4249DB3A8DB49766B5046FBFC14E3682DB785F04859C
                                                                                                                                                                                  Function 0042368C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 00423699
                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00000000), ref: 004236C3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CursorLoad
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3238433803-0
                                                                                                                                                                                  • Opcode ID: f140cec9cfa9b30dc2305244e4258a11cf30c4d8c1b352010c949b8b0dda8ca8
                                                                                                                                                                                  • Instruction ID: 05fd857f6409e6a60644ea24615d01c87e42662e453bf4d6e4e1dfbb00014e4e
                                                                                                                                                                                  • Opcode Fuzzy Hash: f140cec9cfa9b30dc2305244e4258a11cf30c4d8c1b352010c949b8b0dda8ca8
                                                                                                                                                                                  • Instruction Fuzzy Hash: F2F0A7517002107ADA205E3E6CC0A2A72ADCBC1735B61437BFA2AE73D1C72D5D45556D
                                                                                                                                                                                  Function 0042E7E4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLibraryLoadMode
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2987862817-0
                                                                                                                                                                                  • Opcode ID: 9b4fdb90dd8f6dfc429e23110810c204407b66d19ffb3595c1bc568b2ae7c347
                                                                                                                                                                                  • Instruction ID: 76a16bdd6934cf9e499703eeb82aeaab1faf94a78ecb328ba4f7015bbedd62a6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b4fdb90dd8f6dfc429e23110810c204407b66d19ffb3595c1bc568b2ae7c347
                                                                                                                                                                                  • Instruction Fuzzy Hash: 13F08270B14744BEDB116F779C6282BBBECE749B1079348B6F800A3A91E63C4C10C968
                                                                                                                                                                                  Function 0047DB95 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SHGetKnownFolderPath.SHELL32(0049BD54,00008000,00000000,?), ref: 0047DBA5
                                                                                                                                                                                  • CoTaskMemFree.OLE32(?,0047DBE8), ref: 0047DBDB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FolderFreeKnownPathTask
                                                                                                                                                                                  • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                                                                                  • API String ID: 969438705-544719455
                                                                                                                                                                                  • Opcode ID: 40c9fceec1849ef55c2d9e9b165fa2d81ca6f89bfe3325e062340eef34f4dc70
                                                                                                                                                                                  • Instruction ID: 547cb950fcd41f41a68947569da9652c82defc7c7397c5e87919afd81bca1a0c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 40c9fceec1849ef55c2d9e9b165fa2d81ca6f89bfe3325e062340eef34f4dc70
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5E06534714640BEEB119A619D12B5977B8EB85B04FB28476F50496690D678A9009A18
                                                                                                                                                                                  Function 0045103C Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470FA5,?,00000000), ref: 00451052
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470FA5,?,00000000), ref: 0045105A
                                                                                                                                                                                    • Part of subcall function 00450DF8: GetLastError.KERNEL32(00450C14,00450EBA,?,00000000,?,00499714,00000001,00000000,00000002,00000000,00499875,?,?,00000005,00000000,004998A9), ref: 00450DFB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                  • Opcode ID: 57e3a47998fe8597b6042e5f5bf28c6be865df3206a1389c22972bb96d3862bd
                                                                                                                                                                                  • Instruction ID: e16622de0e040581c0824a6ac5d1d77e375427595308dce999b5737054ed6bda
                                                                                                                                                                                  • Opcode Fuzzy Hash: 57e3a47998fe8597b6042e5f5bf28c6be865df3206a1389c22972bb96d3862bd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86E012B5344201ABE700FAB599C1F2B22DCDB44755F10846AF944DA187D674DC498B35
                                                                                                                                                                                  Function 0040626C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Global$AllocLock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 15508794-0
                                                                                                                                                                                  • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                                                                                                                  • Instruction ID: 56019af84ea84d57b40f02c4528a45173e4f1cdf38a2be340d0d32551c2e1a06
                                                                                                                                                                                  • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                                                                                                                  • Instruction Fuzzy Hash: 699002C4C01A00A4DC0072B20C0BD3F101CD8C072C3D1486F7044B6483887C88000979
                                                                                                                                                                                  Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2087232378-0
                                                                                                                                                                                  • Opcode ID: 7e62aa1badbe9b7bec7abb2084251aae76f03f49734707af951965b808a3b35c
                                                                                                                                                                                  • Instruction ID: a6323659c4e3f22e280215c11bf30f87fcb27bed7f3312751ebcd43238c0638b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e62aa1badbe9b7bec7abb2084251aae76f03f49734707af951965b808a3b35c
                                                                                                                                                                                  • Instruction Fuzzy Hash: CCF08272A0063067EB60596A4C81B5359849BC5794F154076FD09FF3E9D6B58C0142A9
                                                                                                                                                                                  Function 00408A2C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00408B62), ref: 00408A4B
                                                                                                                                                                                    • Part of subcall function 0040723C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00407259
                                                                                                                                                                                    • Part of subcall function 004089B8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1658689577-0
                                                                                                                                                                                  • Opcode ID: bb57ecfbcf6c99401787c1e244de85808a7a992296f2a947b18206caa06ad51e
                                                                                                                                                                                  • Instruction ID: 2280d21d464d6860fad4d2303e4b2489916fa30e512bd771d5ffef80d8a4ef38
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb57ecfbcf6c99401787c1e244de85808a7a992296f2a947b18206caa06ad51e
                                                                                                                                                                                  • Instruction Fuzzy Hash: F6315275E001099BCF00EF95C8819EEB779EF84314F51857BE815BB385E738AE058B99
                                                                                                                                                                                  Function 0041FFEC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 00420089
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InfoScroll
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 629608716-0
                                                                                                                                                                                  • Opcode ID: 3edf798da742a1a67383ead948891c4ca252191c32eeff7b634738f170ced4ea
                                                                                                                                                                                  • Instruction ID: a69ccf46589f52d523cedfa5b555af8e95575bce60e7416ef6aeac4177a5bf43
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3edf798da742a1a67383ead948891c4ca252191c32eeff7b634738f170ced4ea
                                                                                                                                                                                  • Instruction Fuzzy Hash: BA2151B1604755AFD340DF39A440767BBE4BB48344F04892EE098C3342E775E995CBD6
                                                                                                                                                                                  Function 0046D110 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0041F2F4: GetCurrentThreadId.KERNEL32 ref: 0041F343
                                                                                                                                                                                    • Part of subcall function 0041F2F4: EnumThreadWindows.USER32(00000000,0041F2A4,00000000), ref: 0041F349
                                                                                                                                                                                  • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046D16E,?,00000000,?,?,0046D380,?,00000000,0046D3F4), ref: 0046D152
                                                                                                                                                                                    • Part of subcall function 0041F3A8: IsWindow.USER32(?), ref: 0041F3B6
                                                                                                                                                                                    • Part of subcall function 0041F3A8: EnableWindow.USER32(?,00000001), ref: 0041F3C5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3319771486-0
                                                                                                                                                                                  • Opcode ID: 9f032309dcde971134040d123568164e642ddd2cabc1e4735cf40f63c5ed8cf9
                                                                                                                                                                                  • Instruction ID: b16b0b1c8f0f43ce2eded6e4310be42afa410753b2a581968e322ef2fdc8cd52
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f032309dcde971134040d123568164e642ddd2cabc1e4735cf40f63c5ed8cf9
                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF0BEB1B08344BFFB05DB72EC56B6AB7A8E30A714F61447BF404861A0EAF95840852E
                                                                                                                                                                                  Function 004169A0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 004169D5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                                                  • Opcode ID: 055c9416affa8369aca5a52daf2b71abecd104a899c95fff13876bf4c34adbe4
                                                                                                                                                                                  • Instruction ID: 76b9729045c620b17443a4bfae3f317f1f80b082859ffabd1d53e10c409eed5a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 055c9416affa8369aca5a52daf2b71abecd104a899c95fff13876bf4c34adbe4
                                                                                                                                                                                  • Instruction Fuzzy Hash: FEF025B2600510AFDB84CF9CD8C0F9373ECEB0C210B0881A6FA08CF21AD220EC108BB0
                                                                                                                                                                                  Function 00414E04 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414E3F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                                                  • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                                                                                  • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                                                                                  • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                                                                                                  Function 00450F08 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450F48
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: 00d3b0e571f0f9799c9202ce425a31b8579894210baf7755ca9a5e27d392a7a4
                                                                                                                                                                                  • Instruction ID: 8219f7e09200e9d280371fd8822ce49b3febf2e1364c7dcaf59ee2aef9f1cf3d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00d3b0e571f0f9799c9202ce425a31b8579894210baf7755ca9a5e27d392a7a4
                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E0EDB53541483ED6809AAD7D42F9667DCD71A724F008033B998D7241D5619D158BE8
                                                                                                                                                                                  Function 0042D11C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,0042D164,?,00000001,?,?,00000000,?,0042D1B6,00000000,00453169,00000000,0045318A,?,00000000), ref: 0042D147
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                  • Opcode ID: 52a97f63493a2405b18f7ceeeb4c5583b1fc3ffb9d272bcba16263c996160de7
                                                                                                                                                                                  • Instruction ID: 9806b9c164805e7544688198397d180b04c1e4ca63c7d3d80aa3ce68cdb407ca
                                                                                                                                                                                  • Opcode Fuzzy Hash: 52a97f63493a2405b18f7ceeeb4c5583b1fc3ffb9d272bcba16263c996160de7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 74E09271704704BFD701EF62DC53E6BBBECDB89B18BA14876B400E7692D6789E10D468
                                                                                                                                                                                  Function 0042ED18 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FormatMessage
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1306739567-0
                                                                                                                                                                                  • Opcode ID: 09ac2101c8e17b0b2705a927b8a5b1ff093a5eaf49e610a8aec8846a662564db
                                                                                                                                                                                  • Instruction ID: 20bfa46e39afc277729b0f592bdc1926ad718625f52f7f76be7811270f12921f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 09ac2101c8e17b0b2705a927b8a5b1ff093a5eaf49e610a8aec8846a662564db
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0DE0206179471216F2351416AC47B77530E43C0704F944436BF50DD3E3D6AED906465E
                                                                                                                                                                                  Function 004062F8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,00423ACC,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00406321
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                                                  • Opcode ID: 9dc46ec25ca5ecaaaae1fbad39bdca196911fb58cef97937ba07dcb482697fa8
                                                                                                                                                                                  • Instruction ID: 1e3b386673cc32b76f3712ab4659b14af7d7742474b1f2ca80afcc4f691b27f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9dc46ec25ca5ecaaaae1fbad39bdca196911fb58cef97937ba07dcb482697fa8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 26E002B221430DBFDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972528675AC608B71
                                                                                                                                                                                  Function 0042E234 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E260
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                  • Opcode ID: 5347a797c781b98567e2e52ffd135a3f9820974f1ad95a252eafdff03c881ffc
                                                                                                                                                                                  • Instruction ID: 1b6ad3e9ff9242377371a87229ab788a86a92e19cf0220c3a89558970fe9bf90
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5347a797c781b98567e2e52ffd135a3f9820974f1ad95a252eafdff03c881ffc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58E07EB6600119AF9B40DE8DDC81EEB37ADAB5D360F444016FA48E7200C2B8EC519BB4
                                                                                                                                                                                  Function 00455360 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindClose.KERNEL32(00000000,000000FF,0047194C,00000000,00472768,?,00000000,004727B1,?,00000000,004728EA,?,00000000,?,00000000,I), ref: 00455376
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseFind
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1863332320-0
                                                                                                                                                                                  • Opcode ID: 2037d152b961654d0701826464360efc1bc8af66d82e3674caf93459437a3ed2
                                                                                                                                                                                  • Instruction ID: 8b71881552422ad0faea9fb58b8cbe3f8cf10286c40a53e64c89ff98b22cfa58
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2037d152b961654d0701826464360efc1bc8af66d82e3674caf93459437a3ed2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 74E09BB0504A004BC714DF7A848132A77D15F84321F04C96ABC9CCB7D7E67C84154667
                                                                                                                                                                                  Function 00414ACC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(004972CE,?,004972F0,?,?,00000000,004972CE,?,?), ref: 00414AEB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                                                  • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                                                                                  • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                                                                                  • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                                                                                                  Function 00407360 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407374
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                  • Opcode ID: 3a95ec999e214528a4642a0263e4bef887c4bff4fae810559ecd64d74c978ed9
                                                                                                                                                                                  • Instruction ID: 7137799a8a619894c36928dc497025c8ae4ce5b7c347e91e7b4e2a044eac2fb2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a95ec999e214528a4642a0263e4bef887c4bff4fae810559ecd64d74c978ed9
                                                                                                                                                                                  • Instruction Fuzzy Hash: CFD05B723082507BE320A55B5C44EAB6BDCCBC5774F10063EF958D31C1D6349C01C675
                                                                                                                                                                                  Function 00423A9C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00423A48: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423A5D
                                                                                                                                                                                  • ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7
                                                                                                                                                                                    • Part of subcall function 00423A78: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423A94
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InfoParametersSystem$ShowWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3202724764-0
                                                                                                                                                                                  • Opcode ID: b1c2cd61143bf12a0bef37db47b635a6d3ef0f027e429c080d83374e888f6fa5
                                                                                                                                                                                  • Instruction ID: b4979a057c5364df20928e0f8112b75834207fc47edce7a1cb621b48fadbe9ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1c2cd61143bf12a0bef37db47b635a6d3ef0f027e429c080d83374e888f6fa5
                                                                                                                                                                                  • Instruction Fuzzy Hash: E4D0A7137811703143117BB738469BF46EC4DD26AB38808BBB5C0DB303E91E8E051278
                                                                                                                                                                                  Function 00424714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: TextWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 530164218-0
                                                                                                                                                                                  • Opcode ID: 0f798d55b4a563aaf07053da431746ff1fcbe1b34a54896860b3a53b831deb59
                                                                                                                                                                                  • Instruction ID: 0401e0c0b6f3d46f422729750133087b7afca2a32056b90ced50410e3746bfe3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f798d55b4a563aaf07053da431746ff1fcbe1b34a54896860b3a53b831deb59
                                                                                                                                                                                  • Instruction Fuzzy Hash: 17D05EE27011602BCB01BAAD54C4ACA67CC8B8936AB1440BBF908EF257C638CE458398
                                                                                                                                                                                  Function 0042D1BC Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,?,00453399,00000000,004533B2,?,-00000001,00000000), ref: 0042D1C7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                  • Opcode ID: 7c6ebe174506a89767f7ee592df00eb0c72a5955deab68b848f445c8102e14c6
                                                                                                                                                                                  • Instruction ID: bf35e0695d646f252302ae8c05399a3b1551c06c76099583daea3b520eb86f7d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c6ebe174506a89767f7ee592df00eb0c72a5955deab68b848f445c8102e14c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3ED022D071121001DE10A0BC28C533711880B74336BA41A33BD69E26E3C33D8823542C
                                                                                                                                                                                  Function 0042D174 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00451D0F,00000000), ref: 0042D17F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                  • Opcode ID: 176281895ea3e42f60d60676608de6346bb49bc8ae14b0fa01ac27964d7a3955
                                                                                                                                                                                  • Instruction ID: 86baad2ceceaa6a85e65f17f0286784d9b66173697f2cc348ab0aa8737b1e759
                                                                                                                                                                                  • Opcode Fuzzy Hash: 176281895ea3e42f60d60676608de6346bb49bc8ae14b0fa01ac27964d7a3955
                                                                                                                                                                                  • Instruction Fuzzy Hash: C9C080D0711210155E10A5BD1CC556703C849543793540F37B068D66D2D13D8466202C
                                                                                                                                                                                  Function 004677CC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00468491,00000000,00000000,00000000,0000000C,00000000), ref: 004677E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CallbackDispatcherUser
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2492992576-0
                                                                                                                                                                                  • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                                                                                  • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                                                                                                  Function 00407310 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AB24,0040D0D0,?,00000000,?), ref: 0040732D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: 209b0ba7fd8c5b4a24ef9a539f4d873392a5060120ce01350303422817e34c0d
                                                                                                                                                                                  • Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
                                                                                                                                                                                  • Opcode Fuzzy Hash: 209b0ba7fd8c5b4a24ef9a539f4d873392a5060120ce01350303422817e34c0d
                                                                                                                                                                                  • Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C
                                                                                                                                                                                  Function 004504A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,004506B4,00000000,?,00469063,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 004504C6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: 26d24d78127bedaa8bd94fa6176c523188c8219f80ea813ea250164edc493aa3
                                                                                                                                                                                  • Instruction ID: d31243997fce6a081680f754dd08e5339b9cfa2d37494deb9f472b2c5ff9ad0f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 26d24d78127bedaa8bd94fa6176c523188c8219f80ea813ea250164edc493aa3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1AD092B1925244AECB10AB26EA0430232B0E364316F404037E60095163C33988958F8C
                                                                                                                                                                                  Function 00451070 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077
                                                                                                                                                                                    • Part of subcall function 00450DF8: GetLastError.KERNEL32(00450C14,00450EBA,?,00000000,?,00499714,00000001,00000000,00000002,00000000,00499875,?,?,00000005,00000000,004998A9), ref: 00450DFB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 734332943-0
                                                                                                                                                                                  • Opcode ID: 46bffcc4190b32f1737510e309765b0f9d847fb6a3bc417c92e668a4702f1f8e
                                                                                                                                                                                  • Instruction ID: c64e7bd530bf7aca0fb3f38fdfe864b922b4b7832701085435935f337d1370ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 46bffcc4190b32f1737510e309765b0f9d847fb6a3bc417c92e668a4702f1f8e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BC04CA5340140578F40A6AE85C1A1663DC9E193493504066B904DF657D669D8484A15
                                                                                                                                                                                  Function 004076F8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetCurrentDirectoryA.KERNEL32(00000000,?,004996A2,00000000,00499875,?,?,00000005,00000000,004998A9,?,?,00000000), ref: 00407703
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentDirectory
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1611563598-0
                                                                                                                                                                                  • Opcode ID: f8e5bc84ed77a990345a18ebfce7b3b4d36d471a9523976a67f94f28f3ebd8b5
                                                                                                                                                                                  • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                                                                                                                  • Opcode Fuzzy Hash: f8e5bc84ed77a990345a18ebfce7b3b4d36d471a9523976a67f94f28f3ebd8b5
                                                                                                                                                                                  • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                                                                                                                  Function 0047E3D0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00482E1B), ref: 0047E3E6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: 6c53cdab159c99083d4d98b8786732a30233f1b333e0139ad3d8075ed81d35ad
                                                                                                                                                                                  • Instruction ID: be2fe49a244c431ec9946715e535269e6deba234050b303873a188c7b9bcae40
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c53cdab159c99083d4d98b8786732a30233f1b333e0139ad3d8075ed81d35ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: C5C00271511210AED750DFBA9D4C75637D4A71832AF068477F40CC3160F6344840CB09
                                                                                                                                                                                  Function 0042E83F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetErrorMode.KERNEL32(?,0042E85D), ref: 0042E850
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorMode
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2340568224-0
                                                                                                                                                                                  • Opcode ID: bbf0f8014a804afebd1604ab393a38912dcaab738292d82ddfa54d7cc6c30dd0
                                                                                                                                                                                  • Instruction ID: 289f6c2202f902c5fbbb0b24ee8d848b414576690a26c35d590b8c03c3951524
                                                                                                                                                                                  • Opcode Fuzzy Hash: bbf0f8014a804afebd1604ab393a38912dcaab738292d82ddfa54d7cc6c30dd0
                                                                                                                                                                                  • Instruction Fuzzy Hash: A7B09B76B0C6005DF705D6D5745152D63D4D7C57203E1457BF454D35C0D93C58004918
                                                                                                                                                                                  Function 00483058 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00483060
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                  • Opcode ID: a0c6aa8902cc3208d5e04c02e1b2d56b9c79d5a4ff1a08c822a552ee674eaf65
                                                                                                                                                                                  • Instruction ID: a049f017766f74ee94b83235d94ec2d7737a3ea42143ca09c2755b46fea829eb
                                                                                                                                                                                  • Opcode Fuzzy Hash: a0c6aa8902cc3208d5e04c02e1b2d56b9c79d5a4ff1a08c822a552ee674eaf65
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FA002343D530430F47463510D13F4400402744F15EE1409573053D0C304D82424201D
                                                                                                                                                                                  Function 00416A3C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DestroyWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3375834691-0
                                                                                                                                                                                  • Opcode ID: 7c218e59c1dd1ff03dc8e849b9cf22d0cf8864dd38f6abff84783c2b34ac62d8
                                                                                                                                                                                  • Instruction ID: 951f12253bcdbe2be33f1d7372765b1b3ebb510443260a24e1bbd496af9ec3c9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c218e59c1dd1ff03dc8e849b9cf22d0cf8864dd38f6abff84783c2b34ac62d8
                                                                                                                                                                                  • Instruction Fuzzy Hash: AFA002755015409ADB10E7A5C84DF7A2298BF44204FD905FA714CA7052C53CD9008A55
                                                                                                                                                                                  Function 0047F09C Relevance: 1.4, APIs: 1, Instructions: 157COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047F287,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047F241
                                                                                                                                                                                    • Part of subcall function 0042CE50: GetSystemMetrics.USER32(0000002A), ref: 0042CE62
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMetricsMultiSystemWide
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 224039744-0
                                                                                                                                                                                  • Opcode ID: f52afbad91b667b6f6308f5f7be5f2f829de3790a0e249e9b62606124138a6e4
                                                                                                                                                                                  • Instruction ID: 496bb1a5f94cf580fd05206e04ab07141ed402b11bdf28edaa456749bafa96dd
                                                                                                                                                                                  • Opcode Fuzzy Hash: f52afbad91b667b6f6308f5f7be5f2f829de3790a0e249e9b62606124138a6e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D51B670600245FFDB10DFA6D884B9AB7F8EB19308F518077E804A73A2D778AD49CB59
                                                                                                                                                                                  Function 0045D794 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00000000,?,?,00000000,0045D834), ref: 0045D80D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFullLastNamePath
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2157422313-0
                                                                                                                                                                                  • Opcode ID: 9496637c5be4f45600dd852a490db853eaf0602299792abc810e83aca145d4fa
                                                                                                                                                                                  • Instruction ID: e271e1d84c0b7232cbeee5b0715f984ebfaf7416c270e3c33bd16b7cbb57140a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9496637c5be4f45600dd852a490db853eaf0602299792abc810e83aca145d4fa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E113370B04204AFDB10EEA9CCC19AEB7E8DF49315F60457AFC14E3382D6789F099655
                                                                                                                                                                                  Function 0041F814 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F1F4,?,00423CDF,0042405C,0041F1F4), ref: 0041F832
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                  • Opcode ID: 3cd9b2b82d3c03bb1042e3aec431f22b9c9f9b479e5e8d2dc048638413a345c3
                                                                                                                                                                                  • Instruction ID: 12b252a98648104a36852bc9e66bdd9c626d3d2234b6f24232172dde86ff5d2a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3cd9b2b82d3c03bb1042e3aec431f22b9c9f9b479e5e8d2dc048638413a345c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: FA1148746007059BCB10DF19C880B82FBE4EB98350F10C53AE9588B385D374E849CBA8
                                                                                                                                                                                  Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                  • Opcode ID: c75a05877fa6d12c6d50048bf692a8cb9b872a1b30c0c7aeae6369689fd3dcf9
                                                                                                                                                                                  • Instruction ID: 191f0f4b7cd680364798b3dc381f6aadc2f07e0dbee61be3c45a65ffd8c3a871
                                                                                                                                                                                  • Opcode Fuzzy Hash: c75a05877fa6d12c6d50048bf692a8cb9b872a1b30c0c7aeae6369689fd3dcf9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E01FC766442148FC3109E29DCC0E2677E8D794378F15453EDA85673A1D37A7C4187D8
                                                                                                                                                                                  Function 00453708 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00453771), ref: 00453753
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                  • Opcode ID: 23d18d59897e39bc4499862bac3fc6016057085f4d4fb8d535a9825dcce29caf
                                                                                                                                                                                  • Instruction ID: c77a4f58350eb22b54b4dfaca8229fa0e9126d3262ef2898ea61e0989ca8d5dd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 23d18d59897e39bc4499862bac3fc6016057085f4d4fb8d535a9825dcce29caf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 24014CB5A042046B8701DF69A8114AEFBE8DB4D3617208277FC64D3342D7345E059764

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 0041F568 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetVersion.KERNEL32(?,00419440,00000000,?,?,?,00000001), ref: 0041F576
                                                                                                                                                                                  • SetErrorMode.KERNEL32(00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F592
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F59E
                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F5AC
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F5DC
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F605
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F61A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F62F
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F644
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F659
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F66E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F683
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F698
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6AD
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000001,?,00419440,00000000,?,?,?,00000001), ref: 0041F6BF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                                                                                                  • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                                                                                                  • API String ID: 2323315520-3614243559
                                                                                                                                                                                  • Opcode ID: 7f93fe397e684a103bce9d62382bab99a389729839f73a4ae53f62d0e5e878ce
                                                                                                                                                                                  • Instruction ID: 05ddd3b6a7babc3b5f2b58818bfec20f43c940fb7309246182468bed43dc01b1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f93fe397e684a103bce9d62382bab99a389729839f73a4ae53f62d0e5e878ce
                                                                                                                                                                                  • Instruction Fuzzy Hash: C93104B1A00604BBD710EF75BD46A6933A4F728B28B59093BB148D71A2E77C9C468F5C
                                                                                                                                                                                  Function 00458DC4 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00458E2B
                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(00000000,00000000,004590BE,?,?,00000000,00000000,?,004597BA,?,00000000,00000000), ref: 00458E34
                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00458E3E
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,00000000,00000000,004590BE,?,?,00000000,00000000,?,004597BA,?,00000000,00000000), ref: 00458E47
                                                                                                                                                                                  • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458EBD
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 00458ECB
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,0049BB24,00000003,00000000,00000000,00000000,0045907A), ref: 00458F13
                                                                                                                                                                                  • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00459069,?,00000000,C0000000,00000000,0049BB24,00000003,00000000,00000000,00000000,0045907A), ref: 00458F4C
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458FF5
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045902B
                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,00459070,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00459063
                                                                                                                                                                                    • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                                                                                                  • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                                                                                                  • API String ID: 770386003-3271284199
                                                                                                                                                                                  • Opcode ID: 588258891636d6961f6f973a73ca3d63e7b3c2cb37b3ea655e6ca71426862519
                                                                                                                                                                                  • Instruction ID: c4bf9a6304175502231bb311a6f33329fdfd9ee29416440b986483e0f2b1c780
                                                                                                                                                                                  • Opcode Fuzzy Hash: 588258891636d6961f6f973a73ca3d63e7b3c2cb37b3ea655e6ca71426862519
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9071F270A00654DADB10DF65CC46B9E7BF8EB05705F1045AAF908FB282DB785D448F69
                                                                                                                                                                                  Function 0047974C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004795B8: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02117A24,?,?,?,02117A24,0047977C,00000000,0047989A,?,?,?,?), ref: 004795D1
                                                                                                                                                                                    • Part of subcall function 004795B8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004795D7
                                                                                                                                                                                    • Part of subcall function 004795B8: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02117A24,?,?,?,02117A24,0047977C,00000000,0047989A,?,?,?,?), ref: 004795EA
                                                                                                                                                                                    • Part of subcall function 004795B8: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02117A24,?,?,?,02117A24), ref: 00479614
                                                                                                                                                                                    • Part of subcall function 004795B8: CloseHandle.KERNEL32(00000000,?,?,?,02117A24,0047977C,00000000,0047989A,?,?,?,?), ref: 00479632
                                                                                                                                                                                    • Part of subcall function 00479690: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00479722,?,?,?,02117A24,?,00479784,00000000,0047989A,?,?,?,?), ref: 004796C0
                                                                                                                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 004797D4
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,0047989A,?,?,?,?), ref: 004797DD
                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047982A
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047984E
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,0047987F,00000000,00000000,000000FF,000000FF,00000000,00479878,?,00000000,0047989A,?,?,?,?), ref: 00479872
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                                                                                                  • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                                                                                                  • API String ID: 883996979-221126205
                                                                                                                                                                                  • Opcode ID: f75691c6988614191e08cddca8c11734c2160cae10b5dfc7f4e0ecb506ded385
                                                                                                                                                                                  • Instruction ID: ef977962423105e2be3f30a06cf623b0e2f7e3d3d4ebd630472f9d2e264b432c
                                                                                                                                                                                  • Opcode Fuzzy Hash: f75691c6988614191e08cddca8c11734c2160cae10b5dfc7f4e0ecb506ded385
                                                                                                                                                                                  • Instruction Fuzzy Hash: 35314471910204AADB10FFAA88416DEBAB8EF45314F51857FF518F7281D77C8D058B1A
                                                                                                                                                                                  Function 00422CAC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422E44
                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,0042300E), ref: 00422E54
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSendShowWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1631623395-0
                                                                                                                                                                                  • Opcode ID: 36355cfa0875aaa4458376ac3789857d0c40b428c5d374d31eae9acbb1f2989b
                                                                                                                                                                                  • Instruction ID: bacc4b86db7cb1d0e13acf93141a7ddfdaa0ad6c2af5cb9121abc77d57b19b6c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 36355cfa0875aaa4458376ac3789857d0c40b428c5d374d31eae9acbb1f2989b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B916270B14254AFD700DBA9DB46F9E77F4AB04304F5600B6F904AB292C7B8AE01AB58
                                                                                                                                                                                  Function 004187D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsIconic.USER32(?), ref: 004187E3
                                                                                                                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 00418800
                                                                                                                                                                                  • GetWindowRect.USER32(?), ref: 0041881C
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 0041882A
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F8), ref: 0041883F
                                                                                                                                                                                  • ScreenToClient.USER32(00000000), ref: 00418848
                                                                                                                                                                                  • ScreenToClient.USER32(00000000,?), ref: 00418853
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                                                                                                  • String ID: ,
                                                                                                                                                                                  • API String ID: 2266315723-3772416878
                                                                                                                                                                                  • Opcode ID: b787cf8406b328f9ec3a8af6233a206f78ef01905e488829e8331a9627355685
                                                                                                                                                                                  • Instruction ID: c8128d77bd0d7ceb2c04d713c679bf83e48da9b619e6265fa23865d78167b210
                                                                                                                                                                                  • Opcode Fuzzy Hash: b787cf8406b328f9ec3a8af6233a206f78ef01905e488829e8331a9627355685
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B111971505201ABDB00EF69C885E9B77E8AF48314F140A7EB958DB286C738D900CB65
                                                                                                                                                                                  Function 0042F71C Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsIconic.USER32(?), ref: 0042F744
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 0042F758
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0042F76F
                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0042F778
                                                                                                                                                                                  • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F7A5
                                                                                                                                                                                  • SetActiveWindow.USER32(?,0042F8D5,00000000,?), ref: 0042F7C6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$ActiveLong$IconicMessage
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1633107849-0
                                                                                                                                                                                  • Opcode ID: 49306f5a5aea126db747c93f7e274e0cd8a3885b454e69ee071c1ce4e6e90790
                                                                                                                                                                                  • Instruction ID: 4c2db8bb30fa69d0e852579bfabd785c91e73d104037fd1269e13a33cc275b58
                                                                                                                                                                                  • Opcode Fuzzy Hash: 49306f5a5aea126db747c93f7e274e0cd8a3885b454e69ee071c1ce4e6e90790
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D31B170A00654AFDB01EFB5DC52D6EBBF8EB09704B9244BBF804E7291D6389D04CB18
                                                                                                                                                                                  Function 00455D80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028), ref: 00455D8F
                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455D95
                                                                                                                                                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455DAE
                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455DD5
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455DDA
                                                                                                                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00455DEB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                  • String ID: SeShutdownPrivilege
                                                                                                                                                                                  • API String ID: 107509674-3733053543
                                                                                                                                                                                  • Opcode ID: 082306ff38d6c760ea0c9f1032eabff53d8a831f0171a5046667534f49f86738
                                                                                                                                                                                  • Instruction ID: 02e3d1fa5e569da00b44776faf89310fbaa28c239a726f1a6525e170f6cce7ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 082306ff38d6c760ea0c9f1032eabff53d8a831f0171a5046667534f49f86738
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55F06871294B02BAE650A6718C1BF7B21A8DB40749F50892ABD41EA1C3D7BDD40C8A7A
                                                                                                                                                                                  Function 0049998C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000,00499CA8,?,?,00000000,0049D62C), ref: 004999E3
                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00499A66
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00499AA2,?,00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000), ref: 00499A7E
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,00499AA9,00499AA2,?,00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000,00499CA8), ref: 00499A9C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFind$AttributesCloseFirstNext
                                                                                                                                                                                  • String ID: isRS-$isRS-???.tmp
                                                                                                                                                                                  • API String ID: 134685335-3422211394
                                                                                                                                                                                  • Opcode ID: 95b3f25cf4ec60d39bc400f980b771d31e145dcc29cfc9c7f6bb2460c5483c6d
                                                                                                                                                                                  • Instruction ID: e7bbbac40fef3dfc3cc8058b31a588cc53a4b1370f1491e53b11de7997221e0f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 95b3f25cf4ec60d39bc400f980b771d31e145dcc29cfc9c7f6bb2460c5483c6d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98318871A015586FDF10EF66CC41ADEBBBCDB45304F5184BBA808A32A1DA389F45CE58
                                                                                                                                                                                  Function 00457D90 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457E0D
                                                                                                                                                                                  • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457E34
                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 00457E45
                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045811D,?,00000000,00458159), ref: 00458108
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00457F88
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                                                                                                  • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                                                                                                  • API String ID: 2236967946-3182603685
                                                                                                                                                                                  • Opcode ID: 685519442a570b48cb17621a111e6bc8b93d65fea83153691f85968c0254f361
                                                                                                                                                                                  • Instruction ID: fc8679ff921622e129be82b5c7b8b9d6156041410e322bf9d6052ebf871bd799
                                                                                                                                                                                  • Opcode Fuzzy Hash: 685519442a570b48cb17621a111e6bc8b93d65fea83153691f85968c0254f361
                                                                                                                                                                                  • Instruction Fuzzy Hash: E8911234604204DFDB15CF55D952F1ABBF9EB88700F2180BAED04AB792CB79AE05CB58
                                                                                                                                                                                  Function 004565A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004566E7), ref: 004565D8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004565DE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                  • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                                  • API String ID: 1646373207-3712701948
                                                                                                                                                                                  • Opcode ID: 25df71702425412e55e0ebe1ec94dd27c79a220fb61393adf873e88db180ab3d
                                                                                                                                                                                  • Instruction ID: b48cc3d91c9fc3d8a1033014b63779c50d18bc65ef0bc06e4cd1291adb105b9d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 25df71702425412e55e0ebe1ec94dd27c79a220fb61393adf873e88db180ab3d
                                                                                                                                                                                  • Instruction Fuzzy Hash: A2417471A00249AFCF01EFA5C8829EFBBB8EF48304F514567F800F7252D6795D098B69
                                                                                                                                                                                  Function 00418120 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsIconic.USER32(?), ref: 0041815F
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0041817D
                                                                                                                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 004181B3
                                                                                                                                                                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004181DA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Placement$Iconic
                                                                                                                                                                                  • String ID: ,
                                                                                                                                                                                  • API String ID: 568898626-3772416878
                                                                                                                                                                                  • Opcode ID: 3939ae1d6e1c590614f47c3d4bcf148a2532e1c37498b01d3d2c2056b4d5783c
                                                                                                                                                                                  • Instruction ID: 655d5dfc889397085a04c255a013ff48624dbcd9c32011b5bbe491b24769000a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3939ae1d6e1c590614f47c3d4bcf148a2532e1c37498b01d3d2c2056b4d5783c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C211D72600204ABDF00EF69CCC1ADA77E8AF49314F55456AFD18DF246CB78D9458BA8
                                                                                                                                                                                  Function 004648D0 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,00464A8D), ref: 00464901
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464990
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00464A42,?,00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464A22
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,00464A49,00464A42,?,00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464A3C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4011626565-0
                                                                                                                                                                                  • Opcode ID: 9c4269f61b84920ca12822ed024a471ff72fe9e9b28da976123b0901a486667e
                                                                                                                                                                                  • Instruction ID: ae00aa0afc7aa582470d59ca75ba9400823c3a1943f8949d3747a5def8a0c8eb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c4269f61b84920ca12822ed024a471ff72fe9e9b28da976123b0901a486667e
                                                                                                                                                                                  • Instruction Fuzzy Hash: B541C570A00658AFDF11EFA5DC45ADEB7B8EB89305F4044BAF404E7381E63C9E488E19
                                                                                                                                                                                  Function 00464D4C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000000,00464F33), ref: 00464DC1
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464E07
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,00464EE0,?,00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464EBC
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,00464EE7,00464EE0,?,00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464EDA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4011626565-0
                                                                                                                                                                                  • Opcode ID: bf41e3cc1b133229262ffb54fabbd49d98797372cd5bfa19d660c2805fd8b5e1
                                                                                                                                                                                  • Instruction ID: 8e27f6cc4c7e55bed8f6d5ebd72a4c3c722eac7afebeb0f1b00dc6af3d7f2fe3
                                                                                                                                                                                  • Opcode Fuzzy Hash: bf41e3cc1b133229262ffb54fabbd49d98797372cd5bfa19d660c2805fd8b5e1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31416535A006589FCB11EFA5CD859DEB7B9FBC8305F5044AAF804E7341EB389E448E59
                                                                                                                                                                                  Function 0042ED84 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDA6
                                                                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042EDD1
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDDE
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDE6
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDEC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1177325624-0
                                                                                                                                                                                  • Opcode ID: 060edd20a8b9ef3e5187fa71c6153c8dffa7266a06f07a40ca48e996766aa3cd
                                                                                                                                                                                  • Instruction ID: d5f14a2582f403684e4f7b299b1070748df424b87161b08669007267f0031b9d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 060edd20a8b9ef3e5187fa71c6153c8dffa7266a06f07a40ca48e996766aa3cd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 21F0F0723A07203AF620B17A6C82F7F018CC784B68F10423AF704FF1D1D9A84D0515AD
                                                                                                                                                                                  Function 00484D28 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsIconic.USER32(?), ref: 00484D66
                                                                                                                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00484D84
                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049E0AC,00484242,00484276,00000000,00484296,?,?,?,0049E0AC), ref: 00484DA6
                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049E0AC,00484242,00484276,00000000,00484296,?,?,?,0049E0AC), ref: 00484DBA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Show$IconicLong
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2754861897-0
                                                                                                                                                                                  • Opcode ID: 6d02ab3679acd20c13477f6129401e215db0be7c9c4dcc708735b62ecc99512f
                                                                                                                                                                                  • Instruction ID: c453c85064c149f2f8de5328ae0569b6634ad2f96c4c2f1b45344ef68f201c80
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d02ab3679acd20c13477f6129401e215db0be7c9c4dcc708735b62ecc99512f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D015E706002129EDB10FB769D89B9A22D95B50344F19083FB8449B2E2CB7C9841975C
                                                                                                                                                                                  Function 00463344 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,00463418), ref: 0046339C
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,004633F8,?,00000000,?,00000000,00463418), ref: 004633D8
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,004633FF,004633F8,?,00000000,?,00000000,00463418), ref: 004633F2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3541575487-0
                                                                                                                                                                                  • Opcode ID: 7c5a373344a681de92fecfb08138b0c42bf8f9877b9eb60383b953f92d76aded
                                                                                                                                                                                  • Instruction ID: 0500e82312f9f08261d57c94a6d9b1f58695be5d4d7593f033a5dbf80f84d4fc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c5a373344a681de92fecfb08138b0c42bf8f9877b9eb60383b953f92d76aded
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1421DB315046886FDB11DF66CC41ADEB7ACDB49305F5084F7B808D3251EA389F44C959
                                                                                                                                                                                  Function 0042462C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsIconic.USER32(?), ref: 00424634
                                                                                                                                                                                  • SetActiveWindow.USER32(?,?,?,?,0046DA13), ref: 00424641
                                                                                                                                                                                    • Part of subcall function 00423A9C: ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7
                                                                                                                                                                                    • Part of subcall function 00423F64: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042465A,?,?,?,?,0046DA13), ref: 00423F9F
                                                                                                                                                                                  • SetFocus.USER32(00000000,?,?,?,?,0046DA13), ref: 0042466E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$ActiveFocusIconicShow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 649377781-0
                                                                                                                                                                                  • Opcode ID: f6b17c850702daf3fe2f22264f5d8e983b40a127641bef431db8629b7e0b9e45
                                                                                                                                                                                  • Instruction ID: 5ae1608fbac1b61a262bbd8080f57afdf1b64e8a1d97d82fcb33e84f02d7d1dc
                                                                                                                                                                                  • Opcode Fuzzy Hash: f6b17c850702daf3fe2f22264f5d8e983b40a127641bef431db8629b7e0b9e45
                                                                                                                                                                                  • Instruction Fuzzy Hash: DBF0D07170122187CB00BFA9D9C5A9633A8AF48714B56407BBD09DF25BC67CDC458768
                                                                                                                                                                                  Function 0042F254 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042F261
                                                                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042F271
                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042F299
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3525989157-0
                                                                                                                                                                                  • Opcode ID: 296a65e85b4cf530d2912259c248fa0dd98adb1b483a3bccc15e2a953cf47158
                                                                                                                                                                                  • Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
                                                                                                                                                                                  • Opcode Fuzzy Hash: 296a65e85b4cf530d2912259c248fa0dd98adb1b483a3bccc15e2a953cf47158
                                                                                                                                                                                  • Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96
                                                                                                                                                                                  Function 0041811E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsIconic.USER32(?), ref: 0041815F
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0041817D
                                                                                                                                                                                  • GetWindowPlacement.USER32(?,0000002C), ref: 004181B3
                                                                                                                                                                                  • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004181DA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Placement$Iconic
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 568898626-0
                                                                                                                                                                                  • Opcode ID: add44dc6c1a8246b0274be2cc60e43faf0e8d0d1d4c3491e9dc610c53a27efe0
                                                                                                                                                                                  • Instruction ID: b17f17ea660f77e7302433a0225cb82371cce2f83056bcd31e3690383aca5fbc
                                                                                                                                                                                  • Opcode Fuzzy Hash: add44dc6c1a8246b0274be2cc60e43faf0e8d0d1d4c3491e9dc610c53a27efe0
                                                                                                                                                                                  • Instruction Fuzzy Hash: E5012C72300104BBDF10EE69CCC1EEB7798AB55364F55416AFD18DF242DA38ED8287A8
                                                                                                                                                                                  Function 004179E8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CaptureIconic
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2277910766-0
                                                                                                                                                                                  • Opcode ID: 99a5272a522ae5b86843bbc46bcec4048f688ae804ae57258cbc35cfbf0e7084
                                                                                                                                                                                  • Instruction ID: c42435c704d87005acf5b6d7044dd68bff31d3bfeee1bac994fdbb5906758c2c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 99a5272a522ae5b86843bbc46bcec4048f688ae804ae57258cbc35cfbf0e7084
                                                                                                                                                                                  • Instruction Fuzzy Hash: 79F049313446014BD720A72DC889AAF62F99F84394B1C643BE41AC7756EB7DDDC48758
                                                                                                                                                                                  Function 004245E4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • IsIconic.USER32(?), ref: 004245EB
                                                                                                                                                                                    • Part of subcall function 00423ED4: EnumWindows.USER32(00423E6C), ref: 00423EF8
                                                                                                                                                                                    • Part of subcall function 00423ED4: GetWindow.USER32(?,00000003), ref: 00423F0D
                                                                                                                                                                                    • Part of subcall function 00423ED4: GetWindowLongA.USER32(?,000000EC), ref: 00423F1C
                                                                                                                                                                                    • Part of subcall function 00423ED4: SetWindowPos.USER32(00000000,004245AC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004245FB,?,?,004241C3), ref: 00423F52
                                                                                                                                                                                  • SetActiveWindow.USER32(?,?,?,004241C3,00000000,004245AC), ref: 004245FF
                                                                                                                                                                                    • Part of subcall function 00423A9C: ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2671590913-0
                                                                                                                                                                                  • Opcode ID: 1a354955b864757cfaa5613f9b306845f8d366a619694d2750710a135c8cdae9
                                                                                                                                                                                  • Instruction ID: 0eb0e95855424de6865fa4d756a676c77cd5728601e575884a8a50090c80911a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a354955b864757cfaa5613f9b306845f8d366a619694d2750710a135c8cdae9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BE01A6070010187DB00EFAAE8C4B8622A8BF88305F55017ABC08CF24BDA3CDC048728
                                                                                                                                                                                  Function 00412A28 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412C25), ref: 00412C13
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                  • Opcode ID: de892e97fbd68e1bb7582f7974717f862a539d23c567f166e41cd9819a8f42aa
                                                                                                                                                                                  • Instruction ID: cdfe5c129d614e166dcfab814c58775b37bd24f4e82d9105b90a581207f53ed6
                                                                                                                                                                                  • Opcode Fuzzy Hash: de892e97fbd68e1bb7582f7974717f862a539d23c567f166e41cd9819a8f42aa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0451C2316082058FC720DF6AD781A9AF3E5EF98304B2086ABD904C7351EAB9ED91C74D
                                                                                                                                                                                  Function 00479D08 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00479E56
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                  • Opcode ID: 462738d441aef1136b86fc8094aec41bc4a49bb6b5bf6afc55cbfc6645c50547
                                                                                                                                                                                  • Instruction ID: 77384fbc8b33c5310ab19163c687e45bac72601044cd1e9f95c219b02d082465
                                                                                                                                                                                  • Opcode Fuzzy Hash: 462738d441aef1136b86fc8094aec41bc4a49bb6b5bf6afc55cbfc6645c50547
                                                                                                                                                                                  • Instruction Fuzzy Hash: 71414A75604105EFCB20CF99C6808AAB7F5EB48310B74C9A6E849DB745D338EE41DB94
                                                                                                                                                                                  Function 0044BB28 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 282libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0044BAA4: GetVersionExA.KERNEL32(00000094), ref: 0044BAC1
                                                                                                                                                                                    • Part of subcall function 0044BAF8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044BB10
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,0044BF0B,?,?,?,?,00000000,00000000,?,0044FD4D,0049A4DA), ref: 0044BB8A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BBA2
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BBB4
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BBC6
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BBD8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBEA
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBFC
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BC0E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BC20
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BC32
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BC44
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BC56
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BC68
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BC7A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044BC8C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044BC9E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044BCB0
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044BCC2
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044BCD4
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044BCE6
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044BCF8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044BD0A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044BD1C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044BD2E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044BD40
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044BD52
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044BD64
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044BD76
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044BD88
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044BD9A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044BDAC
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044BDBE
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044BDD0
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044BDE2
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044BDF4
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044BE06
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044BE18
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044BE2A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044BE3C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044BE4E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044BE60
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044BE72
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044BE84
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044BE96
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BEA8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BEBA
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BECC
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BEDE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$DirectoryLibraryLoadSystemVersion
                                                                                                                                                                                  • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                                                                                                  • API String ID: 2754715182-2910565190
                                                                                                                                                                                  • Opcode ID: 2001b9481bd4323523c3a6d9ee5d3feebd5ce703d364f315cb0e33d3a930df2d
                                                                                                                                                                                  • Instruction ID: 345b4916510d3cb7c096cba84ec2b1d1bd9d6ff2ab3c947e91cb1c242a843473
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2001b9481bd4323523c3a6d9ee5d3feebd5ce703d364f315cb0e33d3a930df2d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 49A16AB0A41A50EBEB00EFF5DC86A2A37A8EB15B14B1405BBB444EF295D678DC048F5D
                                                                                                                                                                                  Function 00493FEC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • Sleep.KERNEL32(00000000,00000000,004944E1,?,?,?,?,00000000,00000000,00000000), ref: 0049402C
                                                                                                                                                                                  • FindWindowA.USER32(00000000,00000000), ref: 0049405D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FindSleepWindow
                                                                                                                                                                                  • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                                                                                                  • API String ID: 3078808852-3310373309
                                                                                                                                                                                  • Opcode ID: 440ea2a378728cb60bd6447d57bf3ec1db7f0b39e7025f77ea846c71da36df6a
                                                                                                                                                                                  • Instruction ID: aaf63752e06fee66a7d05b71673dc8e7902340e663ecb0da5339ca9489632561
                                                                                                                                                                                  • Opcode Fuzzy Hash: 440ea2a378728cb60bd6447d57bf3ec1db7f0b39e7025f77ea846c71da36df6a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7EC14060B0421027DB14FB7ACC4692E5A999BD4704750CA3FB40AEB78BDE3CDC0B4799
                                                                                                                                                                                  Function 0041CE5C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041CE90
                                                                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 0041CE9C
                                                                                                                                                                                  • CreateBitmap.GDI32(0041AD94,?,00000001,00000001,00000000), ref: 0041CEC0
                                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(?,0041AD94,?), ref: 0041CED0
                                                                                                                                                                                  • SelectObject.GDI32(0041D28C,00000000), ref: 0041CEEB
                                                                                                                                                                                  • FillRect.USER32(0041D28C,?,?), ref: 0041CF26
                                                                                                                                                                                  • SetTextColor.GDI32(0041D28C,00000000), ref: 0041CF3B
                                                                                                                                                                                  • SetBkColor.GDI32(0041D28C,00000000), ref: 0041CF52
                                                                                                                                                                                  • PatBlt.GDI32(0041D28C,00000000,00000000,0041AD94,?,00FF0062), ref: 0041CF68
                                                                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 0041CF7B
                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041CFAC
                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CFC4
                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 0041CFCD
                                                                                                                                                                                  • SelectPalette.GDI32(0041D28C,00000000,00000001), ref: 0041CFDC
                                                                                                                                                                                  • RealizePalette.GDI32(0041D28C), ref: 0041CFE5
                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041CFFE
                                                                                                                                                                                  • SetBkColor.GDI32(00000000,00000000), ref: 0041D015
                                                                                                                                                                                  • BitBlt.GDI32(0041D28C,00000000,00000000,0041AD94,?,00000000,00000000,00000000,00CC0020), ref: 0041D031
                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041D03E
                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041D054
                                                                                                                                                                                    • Part of subcall function 0041A4A8: GetSysColor.USER32(?), ref: 0041A4B2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 269503290-0
                                                                                                                                                                                  • Opcode ID: 5e0ecd7f746a94368510dc98cd5b3d13ae19e4ca4739b00519ae71ef4424a664
                                                                                                                                                                                  • Instruction ID: f3cd37e79d0242250547ce8a95e3067296a2558137ee74c5e82542f4c8f5946c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e0ecd7f746a94368510dc98cd5b3d13ae19e4ca4739b00519ae71ef4424a664
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F61CD71A44604AFDB10EBE9DC46FAFB7B8EF48704F10446AF504E7281C67CA9418B69
                                                                                                                                                                                  Function 00456DD4 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CoCreateInstance.OLE32(0049BA74,00000000,00000001,0049B774,?,00000000,0045717F), ref: 00456E1A
                                                                                                                                                                                  • CoCreateInstance.OLE32(0049B764,00000000,00000001,0049B774,?,00000000,0045717F), ref: 00456E40
                                                                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 00456FF7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045702E
                                                                                                                                                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 00457066
                                                                                                                                                                                  • %ProgramFiles(x86)%\, xrefs: 00456ECA
                                                                                                                                                                                  • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456F59
                                                                                                                                                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456FDC
                                                                                                                                                                                  • CoCreateInstance, xrefs: 00456E4B
                                                                                                                                                                                  • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00456F8D
                                                                                                                                                                                  • IPropertyStore::Commit, xrefs: 0045707F
                                                                                                                                                                                  • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004570A0
                                                                                                                                                                                  • IPersistFile::Save, xrefs: 004570FE
                                                                                                                                                                                  • {pf32}\, xrefs: 00456EBA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateInstance$FreeString
                                                                                                                                                                                  • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                                                                                                                  • API String ID: 308859552-2363233914
                                                                                                                                                                                  • Opcode ID: 93e5a5c0d7a20504b98ac55000e6e3f3033edd77299ae39f481bc7526604c0d6
                                                                                                                                                                                  • Instruction ID: 02ec3099c1e013a4d2a6014e0405d8002507ef7a0ca247d1a979c15f6e32810c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 93e5a5c0d7a20504b98ac55000e6e3f3033edd77299ae39f481bc7526604c0d6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 57B18071A04204AFDB11DFA9D845B9E7BF8AF08706F5440B6F904E7262DB38DD48CB69
                                                                                                                                                                                  Function 00473AA0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78
                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00473C58
                                                                                                                                                                                  • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00473D73
                                                                                                                                                                                  • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00473D89
                                                                                                                                                                                  • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00473DAE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                                                                                                  • String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
                                                                                                                                                                                  • API String ID: 971782779-2902529204
                                                                                                                                                                                  • Opcode ID: 0a35e12aea509a7e54ae466e3ca9dbe00f98180b4d7421f3134f165c055a7807
                                                                                                                                                                                  • Instruction ID: 9b31a6288a8d0ad81c732a29d19026b8086b57763a6276d7ac4447936d78ea7d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a35e12aea509a7e54ae466e3ca9dbe00f98180b4d7421f3134f165c055a7807
                                                                                                                                                                                  • Instruction Fuzzy Hash: EBD11374A00148ABDB11DFA9D582BDDBBF4AF08305F50806AF804B7392D778AE45DB69
                                                                                                                                                                                  Function 00499CB8 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000,?,0049A407,00000000,0049A411,?,00000000), ref: 00499D3B
                                                                                                                                                                                  • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000,?,0049A407,00000000), ref: 00499D4E
                                                                                                                                                                                  • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000), ref: 00499D5E
                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00499D7F
                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000), ref: 00499D8F
                                                                                                                                                                                    • Part of subcall function 0042D89C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D92A,?,?,?,00000001,?,0045681A,00000000,00456882), ref: 0042D8D1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                                                                                                  • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                                                                                                  • API String ID: 2000705611-3672972446
                                                                                                                                                                                  • Opcode ID: 925e690ebd037e7923dbbcefbad47493d482e32af6c3f83e886948a8d640b5b4
                                                                                                                                                                                  • Instruction ID: 24b702ce4587ab849973673670b37801b9677cadbfb3bf4f1077f7c12e9ac28d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 925e690ebd037e7923dbbcefbad47493d482e32af6c3f83e886948a8d640b5b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5591C430A04205AFDF11EF69C852BAEBBB4EB49304F51447AF500AB792C63DAC05CB6D
                                                                                                                                                                                  Function 0045AED4 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,0045B190,?,?,?,?,?,00000006,?,00000000,00499145,?,00000000,004991E8), ref: 0045B042
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                                                                                                  • API String ID: 1452528299-3112430753
                                                                                                                                                                                  • Opcode ID: 40b9f5196d712795c6723aabbf18e3bcf6ec9952ad21e77cd65b077e1d7ea276
                                                                                                                                                                                  • Instruction ID: 1722664f16d817fc675012576ec738190a07adef69c32437d7057340c1fc2b4b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 40b9f5196d712795c6723aabbf18e3bcf6ec9952ad21e77cd65b077e1d7ea276
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3271AE307006445BDB01EB6A88927AE7BA5EF49755F50846BFC01EB383CB7C8E49879D
                                                                                                                                                                                  Function 0041B7FC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0041B813
                                                                                                                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0041B81D
                                                                                                                                                                                  • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B82F
                                                                                                                                                                                  • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B846
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041B852
                                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B87F
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041B8A5
                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041B8C0
                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B8CF
                                                                                                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B8FB
                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041B909
                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B917
                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041B920
                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 0041B929
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 644427674-0
                                                                                                                                                                                  • Opcode ID: 545e798d89bfd874ee53134500b0446245b84f374f10eb2ff5fc30c629433f8f
                                                                                                                                                                                  • Instruction ID: 5456327a1e321ce8c2b8187df1c916a831ebe275c46a8a968a344784d91ca00b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 545e798d89bfd874ee53134500b0446245b84f374f10eb2ff5fc30c629433f8f
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC419F71E44609ABDB10EAE9C845FEFB7BCEB08704F104466F614F7281D7786D418BA8
                                                                                                                                                                                  Function 00454FDC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,?,00000000,?,00000000,00455275,?,0045B366,00000003,00000000,00000000,004552AC), ref: 004550F5
                                                                                                                                                                                    • Part of subcall function 0042ED18: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,00000000,?,00000004,00000000,004551BF,?,0045B366,00000000,00000000,?,00000000,?,00000000), ref: 00455179
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,00000000,?,00000004,00000000,004551BF,?,0045B366,00000000,00000000,?,00000000,?,00000000), ref: 004551A8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • , xrefs: 00455066
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045504C
                                                                                                                                                                                  • RegOpenKeyEx, xrefs: 00455078
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00455013
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: QueryValue$FormatMessageOpen
                                                                                                                                                                                  • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                                  • API String ID: 2812809588-1577016196
                                                                                                                                                                                  • Opcode ID: 2751d3f1861e418f081ddf6454286212c6d932ba5dee6d04c203c687234d9735
                                                                                                                                                                                  • Instruction ID: 06452bf81ef06fa34888f2ab1cc7b3841a1100f4c60e90cd60a05f06e497d7d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2751d3f1861e418f081ddf6454286212c6d932ba5dee6d04c203c687234d9735
                                                                                                                                                                                  • Instruction Fuzzy Hash: E0913371D04608ABDB10DFA5C952BEEB7F8EB08305F50406BF904F7282D6799E088B69
                                                                                                                                                                                  Function 00459C54 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00459B60: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459C9D,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459BAD
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459CFB
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459D65
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459DCC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459D18
                                                                                                                                                                                  • .NET Framework not found, xrefs: 00459E19
                                                                                                                                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459CAE
                                                                                                                                                                                  • v4.0.30319, xrefs: 00459CED
                                                                                                                                                                                  • v2.0.50727, xrefs: 00459D57
                                                                                                                                                                                  • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459D7F
                                                                                                                                                                                  • v1.1.4322, xrefs: 00459DBE
                                                                                                                                                                                  • .NET Framework version %s not found, xrefs: 00459E05
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close$Open
                                                                                                                                                                                  • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                                                                                                  • API String ID: 2976201327-446240816
                                                                                                                                                                                  • Opcode ID: d7b66496af80865dd82b06e094c253fcc243f9f157f2f8bd9145884dc98d1b31
                                                                                                                                                                                  • Instruction ID: 13a12a4b366685baa8d6a2e304724611cbcec49206d2204e0959de5a5d6478e2
                                                                                                                                                                                  • Opcode Fuzzy Hash: d7b66496af80865dd82b06e094c253fcc243f9f157f2f8bd9145884dc98d1b31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6451B235A04104EFCB04DB66D862BEE77BADB49305F1844BBA941D7382E7799E0D8B18
                                                                                                                                                                                  Function 00459240 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00459277
                                                                                                                                                                                  • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00459293
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004592A1
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?), ref: 004592B2
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004592F9
                                                                                                                                                                                  • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00459315
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Helper process exited., xrefs: 004592C1
                                                                                                                                                                                  • Helper process exited, but failed to get exit code., xrefs: 004592EB
                                                                                                                                                                                  • Stopping 64-bit helper process. (PID: %u), xrefs: 00459269
                                                                                                                                                                                  • Helper process exited with failure code: 0x%x, xrefs: 004592DF
                                                                                                                                                                                  • Helper isn't responding; killing it., xrefs: 00459283
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                                                                                                  • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                                                                                                  • API String ID: 3355656108-1243109208
                                                                                                                                                                                  • Opcode ID: 230b5ddc3981dfca21d5636881bab7241834d3e40b9cb852e8f413207b64b114
                                                                                                                                                                                  • Instruction ID: 475b633a8f1197f12a32b7740e8dffccf3703e2e74a756bc360da45c31bde27f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 230b5ddc3981dfca21d5636881bab7241834d3e40b9cb852e8f413207b64b114
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B215C70604700EAC720EA7DC486B5B77D49F49305F048D2EB899DB693DA7CEC489B2A
                                                                                                                                                                                  Function 00454C90 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E234: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E260
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454E67,?,00000000,00454F2B), ref: 00454DB7
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454E67,?,00000000,00454F2B), ref: 00454EF3
                                                                                                                                                                                    • Part of subcall function 0042ED18: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454CCF
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454CFF
                                                                                                                                                                                  • , xrefs: 00454D19
                                                                                                                                                                                  • RegCreateKeyEx, xrefs: 00454D2B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCreateFormatMessageQueryValue
                                                                                                                                                                                  • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                                  • API String ID: 2481121983-1280779767
                                                                                                                                                                                  • Opcode ID: 6ec3d0b23e1f48f3aad8fef16a1fab9caf92b4aa27bd1cc5b711479c94c09124
                                                                                                                                                                                  • Instruction ID: 61cb1c98edcfe528623c145d9993427f2b00fea00e486b8f0244815ce8f04fab
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ec3d0b23e1f48f3aad8fef16a1fab9caf92b4aa27bd1cc5b711479c94c09124
                                                                                                                                                                                  • Instruction Fuzzy Hash: 18810175900209ABDB01DFD5C942BDEB7B8FB49709F50442AF900FB282D7789A49CB69
                                                                                                                                                                                  Function 00498538 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00454024: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454113
                                                                                                                                                                                    • Part of subcall function 00454024: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454123
                                                                                                                                                                                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004985B5
                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00498709), ref: 004985D6
                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,STATIC,00498718,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004985FD
                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000FC,00497D90), ref: 00498610
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000,STATIC,00498718), ref: 00498640
                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004986B4
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000), ref: 004986C0
                                                                                                                                                                                    • Part of subcall function 00454498: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045457F
                                                                                                                                                                                  • DestroyWindow.USER32(?,004986E3,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000,STATIC), ref: 004986D6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                                                                                                  • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                                                                                                  • API String ID: 1549857992-2312673372
                                                                                                                                                                                  • Opcode ID: 33f0aa1e6c66ba33127d106aa60bf689e86794d53dcbda2b1297c66d72ebb552
                                                                                                                                                                                  • Instruction ID: 19a9ac76a87cbdbac9fefc72f4bc8d66673aab5a8439699f4ab81f25108c8d39
                                                                                                                                                                                  • Opcode Fuzzy Hash: 33f0aa1e6c66ba33127d106aa60bf689e86794d53dcbda2b1297c66d72ebb552
                                                                                                                                                                                  • Instruction Fuzzy Hash: 78414771A54204AFDF00EBA5CC42F9E7BF8EB09714F51457AF500FB291DA799E048B58
                                                                                                                                                                                  Function 0042E868 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E96D,?,00000000,0047F9E0,00000000), ref: 0042E891
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E897
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E96D,?,00000000,0047F9E0,00000000), ref: 0042E8E5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                                  • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$hE
                                                                                                                                                                                  • API String ID: 4190037839-2100363064
                                                                                                                                                                                  • Opcode ID: f58b6d4dbbec461593ba7b64236c63f951e922bfac5eb23f31135b9ac24a6388
                                                                                                                                                                                  • Instruction ID: 343416b7bfae85f45959abe8e21461bd4048f30ead5244c3b453dfa896624356
                                                                                                                                                                                  • Opcode Fuzzy Hash: f58b6d4dbbec461593ba7b64236c63f951e922bfac5eb23f31135b9ac24a6388
                                                                                                                                                                                  • Instruction Fuzzy Hash: 06214470B00229EBDB50EAA7DC42BAE77A8EB44314F904477A500E7281DB7C9E45DB1C
                                                                                                                                                                                  Function 004635E4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 004635F0
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 00463604
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00463611
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0046361E
                                                                                                                                                                                  • GetWindowRect.USER32(?,00000000), ref: 0046366A
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004636A8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                                                                                  • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                                                                                  • API String ID: 2610873146-3407710046
                                                                                                                                                                                  • Opcode ID: 5d54fb813e64eee8d2e1fd1d869d3f84fcc541412d8aec38238ce219d7c6ea2a
                                                                                                                                                                                  • Instruction ID: 23225dc964baf5770c03b9449d190f9fd0809e25ab0c2f23061680c52a7637e8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d54fb813e64eee8d2e1fd1d869d3f84fcc541412d8aec38238ce219d7c6ea2a
                                                                                                                                                                                  • Instruction Fuzzy Hash: AE21C2B17006446BD320EE68CC45F3B76D9EB84B05F09452EF944DB3C1EA78DD004B5A
                                                                                                                                                                                  Function 0042F614 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0042F620
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F634
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F641
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F64E
                                                                                                                                                                                  • GetWindowRect.USER32(?,00000000), ref: 0042F69A
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F6D8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                                                                                  • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                                                                                  • API String ID: 2610873146-3407710046
                                                                                                                                                                                  • Opcode ID: 9e18f176ca51f207d9f48e4ded0b32e3445f45e6b18c2f86467d84d44384674f
                                                                                                                                                                                  • Instruction ID: 8e363f887434259cf3ecd6bfca6d9ac669349ab4594bae960fb014309ef79425
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e18f176ca51f207d9f48e4ded0b32e3445f45e6b18c2f86467d84d44384674f
                                                                                                                                                                                  • Instruction Fuzzy Hash: BC21C2B27006146FD600EA68DC85F3B72A9EB84704F89463AF944DB391DA78DC098B59
                                                                                                                                                                                  Function 00459418 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004595F7,?,00000000,0045965A,?,?,00000000,00000000), ref: 00459475
                                                                                                                                                                                  • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000,00000001,00000000,00000000,00000000,004595F7), ref: 004594D2
                                                                                                                                                                                  • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000,00000001,00000000,00000000,00000000,004595F7), ref: 004594DF
                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045952B
                                                                                                                                                                                  • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00459565,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000), ref: 00459551
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00000000,00000001,00459565,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000), ref: 00459558
                                                                                                                                                                                    • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                                                                                                  • String ID: CreateEvent$TransactNamedPipe
                                                                                                                                                                                  • API String ID: 2182916169-3012584893
                                                                                                                                                                                  • Opcode ID: 8c882674e4e7badbb1dce3e2dfa1fdcbe7e98f1f80990b5ca878147d0da0e0cb
                                                                                                                                                                                  • Instruction ID: 77fbb71d8e7aac064b87aac98c1c55f9fcb2258c1561d492b861e589c0c855dd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c882674e4e7badbb1dce3e2dfa1fdcbe7e98f1f80990b5ca878147d0da0e0cb
                                                                                                                                                                                  • Instruction Fuzzy Hash: CF418B71A00208FFDB11DF99C981F9EB7F9EB48710F5040AAF904E7282D6789E54CB68
                                                                                                                                                                                  Function 004574BC Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00457621,?,?,00000031,?), ref: 004574E4
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 004574EA
                                                                                                                                                                                  • LoadTypeLib.OLEAUT32(00000000,?), ref: 00457537
                                                                                                                                                                                    • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                                                                                                  • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                                                                                                  • API String ID: 1914119943-2711329623
                                                                                                                                                                                  • Opcode ID: b2a57cb5d0d4215bed9739cbf0b7be67a86da8044cbf193a82d044f72dd204c0
                                                                                                                                                                                  • Instruction ID: 559faf3bdf9cccbe36ab56d48fd8e4aa4276a02661c60707683b87f46ce48c1c
                                                                                                                                                                                  • Opcode Fuzzy Hash: b2a57cb5d0d4215bed9739cbf0b7be67a86da8044cbf193a82d044f72dd204c0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8131B471A04604BFCB01EFAADC01D5FB7BEEB8975571044B6BD04D3652EA38DD04CA68
                                                                                                                                                                                  Function 004171D0 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RectVisible.GDI32(?,?), ref: 00417263
                                                                                                                                                                                  • SaveDC.GDI32(?), ref: 00417277
                                                                                                                                                                                  • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0041729A
                                                                                                                                                                                  • RestoreDC.GDI32(?,?), ref: 004172B5
                                                                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00417335
                                                                                                                                                                                  • FrameRect.USER32(?,?,?), ref: 00417368
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00417372
                                                                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00417382
                                                                                                                                                                                  • FrameRect.USER32(?,?,?), ref: 004173B5
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004173BF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 375863564-0
                                                                                                                                                                                  • Opcode ID: 990d97cb70453dddf228ae22806dd100ede861f0f9d68864237969aa7ab350c2
                                                                                                                                                                                  • Instruction ID: 6654575de22a121332528345891e4d9aada139d791074539051cb87a9fd886f5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 990d97cb70453dddf228ae22806dd100ede861f0f9d68864237969aa7ab350c2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 30515D712086455FDB50EF69C8C0B9B7BE8AF48314F1455AAFD588B286C738EC81CB99
                                                                                                                                                                                  Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                                                                                                  • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                                                                                                  • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                                                                                                  • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1694776339-0
                                                                                                                                                                                  • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                                                                                  • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                                                                                                  Function 00422638 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemMenu.USER32(00000000,00000000), ref: 00422683
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004226A1
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226AE
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226BB
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226C8
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004226D5
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004226E2
                                                                                                                                                                                  • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004226EF
                                                                                                                                                                                  • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042270D
                                                                                                                                                                                  • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422729
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$Delete$EnableItem$System
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3985193851-0
                                                                                                                                                                                  • Opcode ID: 28c3c26aa58a7b1d0b737a17757400c93c751d32761aa9437bbdc0a385d65993
                                                                                                                                                                                  • Instruction ID: df9c0873c136ddd24b8aa988775969986c1613bec62327c4069b14a2c43cb384
                                                                                                                                                                                  • Opcode Fuzzy Hash: 28c3c26aa58a7b1d0b737a17757400c93c751d32761aa9437bbdc0a385d65993
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F2156743847047AE721E724CD8BF9B7BD89B54748F144069B6487F2D3C6FCAA40869C
                                                                                                                                                                                  Function 00462174 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SHGetMalloc.SHELL32(?), ref: 004621AF
                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 00462213
                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00462227
                                                                                                                                                                                  • SHBrowseForFolder.SHELL32(?), ref: 0046223E
                                                                                                                                                                                  • CoUninitialize.OLE32(0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462253
                                                                                                                                                                                  • SetActiveWindow.USER32(?,0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462269
                                                                                                                                                                                  • SetActiveWindow.USER32(?,?,0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462272
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                                                                                                                  • String ID: A
                                                                                                                                                                                  • API String ID: 2684663990-3554254475
                                                                                                                                                                                  • Opcode ID: caefdfe045defb9a034f2c4a917009fdef53ece79d7542ea0497d69e424cd409
                                                                                                                                                                                  • Instruction ID: 1e82777cc352b96db12449cf8796706bfa71e84f11e11660080683620fe74db3
                                                                                                                                                                                  • Opcode Fuzzy Hash: caefdfe045defb9a034f2c4a917009fdef53ece79d7542ea0497d69e424cd409
                                                                                                                                                                                  • Instruction Fuzzy Hash: E23130B0E04208AFDB00EFB5D945ADEBBF8EB09304F51447AF914E7251E7789A04CB59
                                                                                                                                                                                  Function 00473950 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000,?,00473C6D,?,?,00000000,00473EF0), ref: 00473974
                                                                                                                                                                                    • Part of subcall function 0042D1E4: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042D25A
                                                                                                                                                                                    • Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB
                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000,?,00473C6D), ref: 004739EB
                                                                                                                                                                                  • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000), ref: 004739F1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                                                                                                  • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                                                                                                  • API String ID: 884541143-1710247218
                                                                                                                                                                                  • Opcode ID: c5ee601f3e9953c735d8bf0a71158fe3e64be6cf92b19d5fab08f93ca351b12b
                                                                                                                                                                                  • Instruction ID: bfb262a57c212aacfed1a05d1298e64af55acb3d3cb9d0523fd91374b550827c
                                                                                                                                                                                  • Opcode Fuzzy Hash: c5ee601f3e9953c735d8bf0a71158fe3e64be6cf92b19d5fab08f93ca351b12b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F11D3B07006047BD701EA698C83AAE73ACDB48715F50813BB844A72C1DB3C9F02961D
                                                                                                                                                                                  Function 0045DAB0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045DAB9
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045DAC9
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045DAD9
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045DAE9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                  • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                                                                                                  • API String ID: 190572456-3516654456
                                                                                                                                                                                  • Opcode ID: 5abc5c05f731a0f84057b652f47985810eed84a0374322df604e0c431af132d1
                                                                                                                                                                                  • Instruction ID: 9991d33b7b3f44c4a287d390de66c621eb38f0a325e11cae05c3c9c0ae6f74c7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5abc5c05f731a0f84057b652f47985810eed84a0374322df604e0c431af132d1
                                                                                                                                                                                  • Instruction Fuzzy Hash: ED016CB0D00710DAE324DF335C827223AA79B94306F1584376B4853266D3FC184DCE2D
                                                                                                                                                                                  Function 0041AD2C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041AE09
                                                                                                                                                                                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AE43
                                                                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 0041AE58
                                                                                                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AEA2
                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041AEAD
                                                                                                                                                                                  • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AEBD
                                                                                                                                                                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AEFC
                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0041AF06
                                                                                                                                                                                  • SetBkColor.GDI32(00000000,?), ref: 0041AF13
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Color$StretchText
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2984075790-0
                                                                                                                                                                                  • Opcode ID: b2e79564dac12e93c58a92479de6674996e515196b856df7b31fa3c4552ba36b
                                                                                                                                                                                  • Instruction ID: 4ec4bb7d7ecd06ab75a809c898bbb7394ceff3bd51f581de865bbf99f3132505
                                                                                                                                                                                  • Opcode Fuzzy Hash: b2e79564dac12e93c58a92479de6674996e515196b856df7b31fa3c4552ba36b
                                                                                                                                                                                  • Instruction Fuzzy Hash: E761A6B5A01605EFC740EFADE985E9AB7F9EF08318B108566F518DB251C734ED408F98
                                                                                                                                                                                  Function 004588C0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458A74,?, /s ",?,regsvr32.exe",?,00458A74), ref: 004589E6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseDirectoryHandleSystem
                                                                                                                                                                                  • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                                                                                                  • API String ID: 2051275411-1862435767
                                                                                                                                                                                  • Opcode ID: 155819c64c430fb45d55460a0d10478e2dbda3fe00918e678cc052cf01514edf
                                                                                                                                                                                  • Instruction ID: 5e566bfdb395c8031f807e0e6dfcda5b961088fbae7d5a2ae3caad0b9f5d9a1a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 155819c64c430fb45d55460a0d10478e2dbda3fe00918e678cc052cf01514edf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 94410770A003486BDB10EFE5C842B9DB7F9AF45305F50407FA914BB296DF789E098B59
                                                                                                                                                                                  Function 0044D750 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OffsetRect.USER32(?,00000001,00000001), ref: 0044D781
                                                                                                                                                                                  • GetSysColor.USER32(00000014), ref: 0044D788
                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044D7A0
                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D7C9
                                                                                                                                                                                  • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D7D3
                                                                                                                                                                                  • GetSysColor.USER32(00000010), ref: 0044D7DA
                                                                                                                                                                                  • SetTextColor.GDI32(00000000,00000000), ref: 0044D7F2
                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D81B
                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D846
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Text$Color$Draw$OffsetRect
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1005981011-0
                                                                                                                                                                                  • Opcode ID: c732eae71167dd8aa6631ccdc206b1dcbb1a1316a8d8e9d7e0f026f0b59abdf9
                                                                                                                                                                                  • Instruction ID: 83f763003a0c4173e52025d9049416b14570b2719a823760897ab970dc451d42
                                                                                                                                                                                  • Opcode Fuzzy Hash: c732eae71167dd8aa6631ccdc206b1dcbb1a1316a8d8e9d7e0f026f0b59abdf9
                                                                                                                                                                                  • Instruction Fuzzy Hash: B221ACB46015047FC710FB2ACD8AE8AB7DC9F59319B00857BB918EB3A3C67CDE444669
                                                                                                                                                                                  Function 00497DDC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00451070: SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077
                                                                                                                                                                                    • Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB
                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 00497E6D
                                                                                                                                                                                  • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00497E81
                                                                                                                                                                                  • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00497E9B
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EA7
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EAD
                                                                                                                                                                                  • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EC0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Deleting Uninstall data files., xrefs: 00497DE3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                                                                                                  • String ID: Deleting Uninstall data files.
                                                                                                                                                                                  • API String ID: 1570157960-2568741658
                                                                                                                                                                                  • Opcode ID: 76f4a073d4d431fcb8e24e0d71c40f55804fe31760389f23b01cbf0fd8bd04be
                                                                                                                                                                                  • Instruction ID: 7989a93d4f85e89f9f4a8d52eef74e044f35551c753dc98037dc67a034be62a8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 76f4a073d4d431fcb8e24e0d71c40f55804fe31760389f23b01cbf0fd8bd04be
                                                                                                                                                                                  • Instruction Fuzzy Hash: 78213270718204BEEF10EBB6AC42B5737A8E755758F15497BF500961E2EA7C5C048B1D
                                                                                                                                                                                  Function 00471058 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471155,?,?,?,?,00000000), ref: 004710BF
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471155), ref: 004710D6
                                                                                                                                                                                  • AddFontResourceA.GDI32(00000000), ref: 004710F3
                                                                                                                                                                                  • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00471107
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • AddFontResource, xrefs: 00471111
                                                                                                                                                                                  • Failed to open Fonts registry key., xrefs: 004710DD
                                                                                                                                                                                  • Failed to set value in Fonts registry key., xrefs: 004710C8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                                                                                                  • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                                                                                                  • API String ID: 955540645-649663873
                                                                                                                                                                                  • Opcode ID: a737914a74f1a278ccb7df500bee1ba43775c90168331fb9ee9e3c5dcdaf4d95
                                                                                                                                                                                  • Instruction ID: e530b8863bd5b0940b7b47d45e6c2b04f0dd933a31ed90210a2cbfb1d5868c86
                                                                                                                                                                                  • Opcode Fuzzy Hash: a737914a74f1a278ccb7df500bee1ba43775c90168331fb9ee9e3c5dcdaf4d95
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3821B27074024477D710EA6A9C42F9A77ACCB09708F60C43BBA04EB3D2DA7CDE05862D
                                                                                                                                                                                  Function 00463A24 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00416860: GetClassInfoA.USER32(00400000,?,?), ref: 004168CF
                                                                                                                                                                                    • Part of subcall function 00416860: UnregisterClassA.USER32(?,00400000), ref: 004168FB
                                                                                                                                                                                    • Part of subcall function 00416860: RegisterClassA.USER32(?), ref: 0041691E
                                                                                                                                                                                  • GetVersion.KERNEL32 ref: 00463A54
                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00463A92
                                                                                                                                                                                  • SHGetFileInfo.SHELL32(00463B30,00000000,?,00000160,00004011), ref: 00463AAF
                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 00463ACD
                                                                                                                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,00463B30,00000000,?,00000160,00004011), ref: 00463AD3
                                                                                                                                                                                  • SetCursor.USER32(?,00463B13,00007F02,00463B30,00000000,?,00000160,00004011), ref: 00463B06
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                                                                                                  • String ID: Explorer
                                                                                                                                                                                  • API String ID: 2594429197-512347832
                                                                                                                                                                                  • Opcode ID: 65d5975a7585ee049415f6ae244e5feecb2e1e5ddbe746441fb4960a5f53db61
                                                                                                                                                                                  • Instruction ID: 0956d246c88e4b13c617490cc10e92cdb10fa67267cb1644ec11604dcab5a564
                                                                                                                                                                                  • Opcode Fuzzy Hash: 65d5975a7585ee049415f6ae244e5feecb2e1e5ddbe746441fb4960a5f53db61
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A212C307403446AE710BFB58C47F9A76989B08708F5000BFBA09EE1C3EABD9D4586AD
                                                                                                                                                                                  Function 004795B8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02117A24,?,?,?,02117A24,0047977C,00000000,0047989A,?,?,?,?), ref: 004795D1
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004795D7
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02117A24,?,?,?,02117A24,0047977C,00000000,0047989A,?,?,?,?), ref: 004795EA
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02117A24,?,?,?,02117A24), ref: 00479614
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,02117A24,0047977C,00000000,0047989A,?,?,?,?), ref: 00479632
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                                                                                                  • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                                                                                                  • API String ID: 2704155762-2318956294
                                                                                                                                                                                  • Opcode ID: 1947a9aaa15eabe4036a12787753409495eb16ca8dbead4cdc7f2695ecfe1c22
                                                                                                                                                                                  • Instruction ID: 19ddb68189d16dccfde8b10573e35333770f7cebea86a77b7f1be6907437da3a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1947a9aaa15eabe4036a12787753409495eb16ca8dbead4cdc7f2695ecfe1c22
                                                                                                                                                                                  • Instruction Fuzzy Hash: CC01D26034470436E52131BA4C86FBB248C8B50768F148237BA1CEA2E2EDAD9E0601AE
                                                                                                                                                                                  Function 0045A608 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,0045A78A,?,00000000,00000000,00000000,?,00000006,?,00000000,00499145,?,00000000,004991E8), ref: 0045A6CE
                                                                                                                                                                                    • Part of subcall function 00454B5C: FindClose.KERNEL32(000000FF,00454C52), ref: 00454C41
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A6A8
                                                                                                                                                                                  • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A743
                                                                                                                                                                                  • Deleting directory: %s, xrefs: 0045A657
                                                                                                                                                                                  • Failed to strip read-only attribute., xrefs: 0045A69C
                                                                                                                                                                                  • Failed to delete directory (%d). Will retry later., xrefs: 0045A6E7
                                                                                                                                                                                  • Failed to delete directory (%d)., xrefs: 0045A764
                                                                                                                                                                                  • Stripped read-only attribute., xrefs: 0045A690
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseErrorFindLast
                                                                                                                                                                                  • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                                                                                                  • API String ID: 754982922-1448842058
                                                                                                                                                                                  • Opcode ID: e8aa9ef7f824b2a061c16c0988bae792ae65a83e1ee41ee0e1e8b20d1f830e97
                                                                                                                                                                                  • Instruction ID: 6800a92dfaec35f14ad088af188abd42280c19cea7490fe80134e7d3278dcbe3
                                                                                                                                                                                  • Opcode Fuzzy Hash: e8aa9ef7f824b2a061c16c0988bae792ae65a83e1ee41ee0e1e8b20d1f830e97
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62418630A002485ACB10EB6988017AE7AF59B4D306F55867FAC11A7393DB7CCE1D875B
                                                                                                                                                                                  Function 004232A0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCapture.USER32 ref: 004232F4
                                                                                                                                                                                  • GetCapture.USER32 ref: 00423303
                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00423309
                                                                                                                                                                                  • ReleaseCapture.USER32 ref: 0042330E
                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0042331D
                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0042339C
                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00423400
                                                                                                                                                                                  • GetActiveWindow.USER32 ref: 0042340F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 862346643-0
                                                                                                                                                                                  • Opcode ID: d2dc62145a020e54a0683f837acecb26501ac7fae3216bd7808a05aa4d6a43e8
                                                                                                                                                                                  • Instruction ID: 3a9af59dda1f98e95100fec3f153a7acb7f05633bd4cd2eb2e4992da2b7770c9
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2dc62145a020e54a0683f837acecb26501ac7fae3216bd7808a05aa4d6a43e8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 68414170B10258AFDB10EFAAD942B9DB7F1AF44704F5140BAE404AB292DB7C9F41CB18
                                                                                                                                                                                  Function 004298D0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 004298DA
                                                                                                                                                                                  • GetTextMetricsA.GDI32(00000000), ref: 004298E3
                                                                                                                                                                                    • Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7
                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 004298F2
                                                                                                                                                                                  • GetTextMetricsA.GDI32(00000000,?), ref: 004298FF
                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00429906
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0042990E
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000006), ref: 00429933
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000006), ref: 0042994D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1583807278-0
                                                                                                                                                                                  • Opcode ID: 493c3e02d1035430593376a4cfe0bac28c29019347665ee68c3eba71a2dbb902
                                                                                                                                                                                  • Instruction ID: 0ef879b540a67ceb128a5e1141d84f2d1524799c58b88ee5a2ee57f477153a9f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 493c3e02d1035430593376a4cfe0bac28c29019347665ee68c3eba71a2dbb902
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8401A19170971127F310667A9CC2B6F6688DB54368F44053EFA86963E3D96C8C81876E
                                                                                                                                                                                  Function 0041E274 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041E277
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E281
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041E28E
                                                                                                                                                                                  • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041E29D
                                                                                                                                                                                  • GetStockObject.GDI32(00000007), ref: 0041E2AB
                                                                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 0041E2B7
                                                                                                                                                                                  • GetStockObject.GDI32(0000000D), ref: 0041E2C3
                                                                                                                                                                                  • LoadIconA.USER32(00000000,00007F00), ref: 0041E2D4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 225703358-0
                                                                                                                                                                                  • Opcode ID: 957f3307555577b9769f88203920435baeedebafbf566bc0e8d0fe2380545380
                                                                                                                                                                                  • Instruction ID: 718266ba1944efb5b46721f14e799226cd24d8dfc19287898d5783b558d94fa9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 957f3307555577b9769f88203920435baeedebafbf566bc0e8d0fe2380545380
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1111FB70A453015AE340BFA69D52BAA3691D724709F00813BF608EF3D2DB7D5C809BAD
                                                                                                                                                                                  Function 00463E34 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 00463F38
                                                                                                                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463FCD), ref: 00463F3E
                                                                                                                                                                                  • SetCursor.USER32(?,00463FB5,00007F02,00000000,00463FCD), ref: 00463FA8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Cursor$Load
                                                                                                                                                                                  • String ID: $ $Internal error: Item already expanding
                                                                                                                                                                                  • API String ID: 1675784387-1948079669
                                                                                                                                                                                  • Opcode ID: 2e72c9ebfc19e7403a65945d55937a119cc11725f60109d9f94943b84faf3f65
                                                                                                                                                                                  • Instruction ID: aa82ab3995de3935e6727d947cb2bd0e3876d59c6d9623ce98a17a39b04bf081
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e72c9ebfc19e7403a65945d55937a119cc11725f60109d9f94943b84faf3f65
                                                                                                                                                                                  • Instruction Fuzzy Hash: 67B1E230A00244DFDB14DF65C549B9EBBF1AF45304F1584AAE8459B392E778EE84CB0A
                                                                                                                                                                                  Function 00454498 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045457F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileStringWrite
                                                                                                                                                                                  • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                                                                                                  • API String ID: 390214022-3304407042
                                                                                                                                                                                  • Opcode ID: 7fc08df52904c59b3176bd425c815c443ddc94d3e7b0bfcf8c3a045116732771
                                                                                                                                                                                  • Instruction ID: e87d0749b1697b84d3b9cc82c23e20e51564d8fa8ce324392089b518a873d649
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7fc08df52904c59b3176bd425c815c443ddc94d3e7b0bfcf8c3a045116732771
                                                                                                                                                                                  • Instruction Fuzzy Hash: B8913334E001499BDB01EFA5D882BDEB7B5EF49309F508467E900BB292D77C9E49CB58
                                                                                                                                                                                  Function 00477E98 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00477EF1
                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000FC,Function_00077E4C), ref: 00477F18
                                                                                                                                                                                  • GetACP.KERNEL32(00000000,00478130,?,00000000,0047815A), ref: 00477F55
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00477F9B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClassInfoLongMessageSendWindow
                                                                                                                                                                                  • String ID: COMBOBOX$Inno Setup: Language
                                                                                                                                                                                  • API String ID: 3391662889-4234151509
                                                                                                                                                                                  • Opcode ID: deb51ddf8cca9870b91e1d9d0dcad9b4f5c78b57c6cc0b96f0beb683c572e979
                                                                                                                                                                                  • Instruction ID: 81c94a85f2d0ae2d33cbd4ee74d6221623364a49e9b2571c8ba4411711431487
                                                                                                                                                                                  • Opcode Fuzzy Hash: deb51ddf8cca9870b91e1d9d0dcad9b4f5c78b57c6cc0b96f0beb683c572e979
                                                                                                                                                                                  • Instruction Fuzzy Hash: 65813C34A00205DFD710EF69C989AAAB7F0FB49304F55C1BAE848D7362DB38AD45CB59
                                                                                                                                                                                  Function 0047E980 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindNextFileA.KERNEL32(000000FF,?,00000000,0047EAF4,?,?,?,?,00000000,0047EC49,?,?,?,00000000,?,0047ED58), ref: 0047EAD0
                                                                                                                                                                                  • FindClose.KERNEL32(000000FF,0047EAFB,0047EAF4,?,?,?,?,00000000,0047EC49,?,?,?,00000000,?,0047ED58,00000000), ref: 0047EAEE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$CloseFileNext
                                                                                                                                                                                  • String ID: TG$TG
                                                                                                                                                                                  • API String ID: 2066263336-2531790037
                                                                                                                                                                                  • Opcode ID: b0e8c0ab68be89f93ee12764341254d4567c72d9188f1650ca356d27e1af81f5
                                                                                                                                                                                  • Instruction ID: 49c023a3d40347f396a503d53546bb693b8cfca30f5629bd36de7deb8458e88f
                                                                                                                                                                                  • Opcode Fuzzy Hash: b0e8c0ab68be89f93ee12764341254d4567c72d9188f1650ca356d27e1af81f5
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5812C7490024D9FDF11DF96C841ADFBBB9EF4D304F1081EAE508A7291D6399A46CF54
                                                                                                                                                                                  Function 00408B70 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemDefaultLCID.KERNEL32(00000000,00408DB8,?,?,?,?,00000000,00000000,00000000,?,00409DBF,00000000,00409DD2), ref: 00408B8A
                                                                                                                                                                                    • Part of subcall function 004089B8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6
                                                                                                                                                                                    • Part of subcall function 00408A04: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408C06,?,?,?,00000000,00408DB8), ref: 00408A17
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InfoLocale$DefaultSystem
                                                                                                                                                                                  • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                                                                                  • API String ID: 1044490935-665933166
                                                                                                                                                                                  • Opcode ID: c69c3147cd56940e9f4fd8337a0fbc887525be67d32930313bc35b703755f031
                                                                                                                                                                                  • Instruction ID: a8d7ab9d838d1b353a0e5ff474912d8a0235132b07344be0acb9e4c83fee81e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: c69c3147cd56940e9f4fd8337a0fbc887525be67d32930313bc35b703755f031
                                                                                                                                                                                  • Instruction Fuzzy Hash: D8513D34B001486BDB01FBA5DA41A9F77A9DB98308F50947FB181BB7C6CE3CDA068759
                                                                                                                                                                                  Function 00411B44 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetVersion.KERNEL32(00000000,00411D49), ref: 00411BDC
                                                                                                                                                                                  • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411C9A
                                                                                                                                                                                    • Part of subcall function 00411EFC: CreatePopupMenu.USER32 ref: 00411F16
                                                                                                                                                                                  • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411D26
                                                                                                                                                                                    • Part of subcall function 00411EFC: CreateMenu.USER32 ref: 00411F20
                                                                                                                                                                                  • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411D0D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                                                                                                  • String ID: ,$?
                                                                                                                                                                                  • API String ID: 2359071979-2308483597
                                                                                                                                                                                  • Opcode ID: c987c748b65508a950cf3f2169e5bd87e5634fb74b346734da7ef3b4f05fb7f7
                                                                                                                                                                                  • Instruction ID: 125356fab78159fbe3d4b3b77ff780d7a0eb3536e5c02055c9c5492709250fea
                                                                                                                                                                                  • Opcode Fuzzy Hash: c987c748b65508a950cf3f2169e5bd87e5634fb74b346734da7ef3b4f05fb7f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D512674A001049BDB10EF6AED815EE7BF9EF08304B1141BAFA04E73A2E738D941CB58
                                                                                                                                                                                  Function 0041C2B3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041C378
                                                                                                                                                                                  • GetObjectA.GDI32(?,00000018,?), ref: 0041C387
                                                                                                                                                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041C3D8
                                                                                                                                                                                  • GetBitmapBits.GDI32(?,?,?), ref: 0041C3E6
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0041C3EF
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0041C3F8
                                                                                                                                                                                  • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C415
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1030595962-0
                                                                                                                                                                                  • Opcode ID: 8204310b78e8d6a6cf9899529667619705c527fa466c5b93b01e90bd2c764378
                                                                                                                                                                                  • Instruction ID: 7028de2688ff158aa25c0b8276400e232655bb6670dd4605646626e5bfc1af4e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8204310b78e8d6a6cf9899529667619705c527fa466c5b93b01e90bd2c764378
                                                                                                                                                                                  • Instruction Fuzzy Hash: F651F671E002199FCB50DFE9C8819EEB7F9EB48314B218066F914E7295D638AD81CB68
                                                                                                                                                                                  Function 0041D328 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041D34E
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041D36D
                                                                                                                                                                                  • SelectPalette.GDI32(?,?,00000001), ref: 0041D3D3
                                                                                                                                                                                  • RealizePalette.GDI32(?), ref: 0041D3E2
                                                                                                                                                                                  • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D44C
                                                                                                                                                                                  • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D48A
                                                                                                                                                                                  • SelectPalette.GDI32(?,?,00000001), ref: 0041D4AF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2222416421-0
                                                                                                                                                                                  • Opcode ID: 11edf0dba9517228aa32d7039567d0e1bdcd43b434536bf7bada936ddc7c4efc
                                                                                                                                                                                  • Instruction ID: 60201597840efc574cdf5035eb35bbfd27a544e021146ecd029e3556dfc27432
                                                                                                                                                                                  • Opcode Fuzzy Hash: 11edf0dba9517228aa32d7039567d0e1bdcd43b434536bf7bada936ddc7c4efc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 305121B0A00604AFD714DFA9C985F9AB7F9EF08304F14859AB944D7392C778ED80CB58
                                                                                                                                                                                  Function 00457AD8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(00000000,?,?), ref: 00457B2A
                                                                                                                                                                                    • Part of subcall function 004246CC: GetWindowTextA.USER32(?,?,00000100), ref: 004246EC
                                                                                                                                                                                    • Part of subcall function 0041F2F4: GetCurrentThreadId.KERNEL32 ref: 0041F343
                                                                                                                                                                                    • Part of subcall function 0041F2F4: EnumThreadWindows.USER32(00000000,0041F2A4,00000000), ref: 0041F349
                                                                                                                                                                                    • Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457B91
                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00457BAF
                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 00457BB8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                                                                                                                  • String ID: [Paused]
                                                                                                                                                                                  • API String ID: 1007367021-4230553315
                                                                                                                                                                                  • Opcode ID: 31cb7fdc48ed9e78bfc0c73adec3810bff2390ae3e523ac4d000c848820f6b6f
                                                                                                                                                                                  • Instruction ID: d952aa0340fda6d06c899081e645d661bac1146de2c671e539639067201b9655
                                                                                                                                                                                  • Opcode Fuzzy Hash: 31cb7fdc48ed9e78bfc0c73adec3810bff2390ae3e523ac4d000c848820f6b6f
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB3196309082445EDB11DFB9E845FDE7BF8DB49318F5180B7E814E7292D67CA909CB29
                                                                                                                                                                                  Function 0046C0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCursor.USER32(00000000,0046C21F), ref: 0046C19C
                                                                                                                                                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 0046C1AA
                                                                                                                                                                                  • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1B0
                                                                                                                                                                                  • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1BA
                                                                                                                                                                                  • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1C0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Cursor$LoadSleep
                                                                                                                                                                                  • String ID: CheckPassword
                                                                                                                                                                                  • API String ID: 4023313301-1302249611
                                                                                                                                                                                  • Opcode ID: ce3984bea0c5d85023e98f2da038b503bb9f29560b4eba7d50fa5ad56f960d46
                                                                                                                                                                                  • Instruction ID: ee4704442a97aa51a819b3d11b93b6eea7a80086b594a8aac8f18d25b90f0006
                                                                                                                                                                                  • Opcode Fuzzy Hash: ce3984bea0c5d85023e98f2da038b503bb9f29560b4eba7d50fa5ad56f960d46
                                                                                                                                                                                  • Instruction Fuzzy Hash: 063175346402449FD711EF69C8C9F9E7BE4AF49304F5580BAB9449B3E2E7789E40CB49
                                                                                                                                                                                  Function 00478EB4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00478DDC: GetWindowThreadProcessId.USER32(00000000), ref: 00478DE4
                                                                                                                                                                                    • Part of subcall function 00478DDC: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00478EDB,0049E0AC,00000000), ref: 00478DF7
                                                                                                                                                                                    • Part of subcall function 00478DDC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00478DFD
                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000004A,00000000,0047926E), ref: 00478EE9
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00478F2E
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00478F38
                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00478F8D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • CallSpawnServer: Unexpected response: $%x, xrefs: 00478F1E
                                                                                                                                                                                  • CallSpawnServer: Unexpected status: %d, xrefs: 00478F76
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                                                                                                  • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                                                                                                  • API String ID: 613034392-3771334282
                                                                                                                                                                                  • Opcode ID: c46d90ec627eec355b04474858c9833e0dc615cc8fb62d212e36d073c5026e7c
                                                                                                                                                                                  • Instruction ID: 2b74b3330966d0da2430542d23b63ad4dc4eec681a1128910255243e8f8c0985
                                                                                                                                                                                  • Opcode Fuzzy Hash: c46d90ec627eec355b04474858c9833e0dc615cc8fb62d212e36d073c5026e7c
                                                                                                                                                                                  • Instruction Fuzzy Hash: E0319374F502149ADB10EBB9884A7EE76A19F48304F50843EF148EB382DA7C4D0187A9
                                                                                                                                                                                  Function 00459F80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045A03B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • .NET Framework CreateAssemblyCache function failed, xrefs: 0045A05E
                                                                                                                                                                                  • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045A046
                                                                                                                                                                                  • CreateAssemblyCache, xrefs: 0045A032
                                                                                                                                                                                  • Failed to load .NET Framework DLL "%s", xrefs: 0045A020
                                                                                                                                                                                  • Fusion.dll, xrefs: 00459FDB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                  • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                                                                                                  • API String ID: 190572456-3990135632
                                                                                                                                                                                  • Opcode ID: d95d5d40fddf0b6030493c953464f742ef4760e894d11a5ea04ccacfdf112554
                                                                                                                                                                                  • Instruction ID: ac224aa19d502af52a8aeeb8631c7515eb40ef1487658bef2565bb8923ebe5d4
                                                                                                                                                                                  • Opcode Fuzzy Hash: d95d5d40fddf0b6030493c953464f742ef4760e894d11a5ea04ccacfdf112554
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7931A971E006059FDB10EFA5C88169EB7B4AF44715F50867BE814E7382D7389E18C79A
                                                                                                                                                                                  Function 0041C598 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0041C498: GetObjectA.GDI32(?,00000018), ref: 0041C4A5
                                                                                                                                                                                  • GetFocus.USER32 ref: 0041C5B8
                                                                                                                                                                                  • GetDC.USER32(?), ref: 0041C5C4
                                                                                                                                                                                  • SelectPalette.GDI32(?,?,00000000), ref: 0041C5E5
                                                                                                                                                                                  • RealizePalette.GDI32(?), ref: 0041C5F1
                                                                                                                                                                                  • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C608
                                                                                                                                                                                  • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C630
                                                                                                                                                                                  • ReleaseDC.USER32(?,?), ref: 0041C63D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3303097818-0
                                                                                                                                                                                  • Opcode ID: 13ad04b8ebeec00c1d7dbe87a4843d5f0ce23703817d7fa7e30356844582fb0f
                                                                                                                                                                                  • Instruction ID: 5608d60df95c2c9a4937b8f20fdaccdf81dd4bf5f719291f5ec9f8ce647d196e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 13ad04b8ebeec00c1d7dbe87a4843d5f0ce23703817d7fa7e30356844582fb0f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 00116DB1A00619BBDF10DBA9CC85FAFB7FCEF48700F14446AB614E7281D67899008B28
                                                                                                                                                                                  Function 004190A4 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000E), ref: 004190C0
                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000D), ref: 004190C8
                                                                                                                                                                                  • 6F9A2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 004190CE
                                                                                                                                                                                    • Part of subcall function 00410C48: 6F99C400.COMCTL32(?,000000FF,00000000,004190FC,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00410C4C
                                                                                                                                                                                  • 6FA0CB00.COMCTL32(?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 0041911E
                                                                                                                                                                                  • 6FA0C740.COMCTL32(00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00419129
                                                                                                                                                                                  • 6FA0CB00.COMCTL32(?,00000001,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000), ref: 0041913C
                                                                                                                                                                                  • 6F9A0860.COMCTL32(?,0041915F,?,00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E), ref: 00419152
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MetricsSystem$A0860A2980C400C740
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1086221473-0
                                                                                                                                                                                  • Opcode ID: 3537cdd0f738fbfcd60e26d14cefecc9ad32e9dd8feb771d9bbef366dd2eac9a
                                                                                                                                                                                  • Instruction ID: 9903b46d79d4c0b31f098cc3390b5efedd2ad94e5cf824da9eef417fc70482b9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3537cdd0f738fbfcd60e26d14cefecc9ad32e9dd8feb771d9bbef366dd2eac9a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0611B971B44204BBEB14EFA5CC87F9E73B9EB09704F504166B604EB2C1E5B99D848B58
                                                                                                                                                                                  Function 00485058 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00485110), ref: 004850F5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                  • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                                                                                                  • API String ID: 47109696-2530820420
                                                                                                                                                                                  • Opcode ID: f94684ca5ff4a6ca7381cd733c0a85fe62770c625d2b9a68cb2525c3b7024c1e
                                                                                                                                                                                  • Instruction ID: 02a49102d00d8724c0d73e8972acf5231ddb46999e19ea23a0f5791770e41de6
                                                                                                                                                                                  • Opcode Fuzzy Hash: f94684ca5ff4a6ca7381cd733c0a85fe62770c625d2b9a68cb2525c3b7024c1e
                                                                                                                                                                                  • Instruction Fuzzy Hash: FE11B230A04644ABDB00F766DC56B5F7BA8DB42744F508877A800DB782D73D9E41975D
                                                                                                                                                                                  Function 0044CD48 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0044CD18: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044CD30
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,00000000,0044CE0A,?,?,?,?,00000000,00000000), ref: 0044CD92
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044CDA3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044CDB3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                                                                                                  • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                                                                                                  • API String ID: 2141747552-1050967733
                                                                                                                                                                                  • Opcode ID: ea022944773ab25f9a4076fd398f24179dfceb8cd9828e0392caa77096e119c9
                                                                                                                                                                                  • Instruction ID: 55534d0cd89e21a5042de7d2cb1dd0110792ae2e246426a933e63f936c6ed6e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: ea022944773ab25f9a4076fd398f24179dfceb8cd9828e0392caa77096e119c9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 361151B0A01704AFF710EFA1DCC2B5A7BA8E758719F64047BE400666A1DBBD9D448A1C
                                                                                                                                                                                  Function 00496DF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00496E01
                                                                                                                                                                                    • Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7
                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00496E23
                                                                                                                                                                                  • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004973A1), ref: 00496E37
                                                                                                                                                                                  • GetTextMetricsA.GDI32(00000000,?), ref: 00496E59
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00496E76
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00496E2E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                                                                                                                  • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                                                                                                  • API String ID: 2948443157-222967699
                                                                                                                                                                                  • Opcode ID: aae36943e4c039aea34424998f68ade3a8833365680bc7432fe66356b3d4646c
                                                                                                                                                                                  • Instruction ID: 569e85929f3d385eaff6f9e1b1d1d5c6dd8a65a34f46b30b3a8bef4bdf425d44
                                                                                                                                                                                  • Opcode Fuzzy Hash: aae36943e4c039aea34424998f68ade3a8833365680bc7432fe66356b3d4646c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 36018476A04608AFDB05DBE9CC41F5FB7ECDB49704F11047ABA04E7281D678AE008B68
                                                                                                                                                                                  Function 0041B8B2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 0041B8C0
                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B8CF
                                                                                                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B8FB
                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0041B909
                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B917
                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 0041B920
                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 0041B929
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ObjectSelect$Delete$Stretch
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1458357782-0
                                                                                                                                                                                  • Opcode ID: c5d1e2e3ff328356a4e4238c7f450765dbf7839f38aeea7c0d55facf19ccd353
                                                                                                                                                                                  • Instruction ID: b8528283d587f8f5f7158778d976388ea9280e6d202ec49eeb693ac58173ed71
                                                                                                                                                                                  • Opcode Fuzzy Hash: c5d1e2e3ff328356a4e4238c7f450765dbf7839f38aeea7c0d55facf19ccd353
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A118EB2F04619ABDB10D6DDC885FEFB7BCEB08314F044415B614FB241C678AD418B54
                                                                                                                                                                                  Function 004237E4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCursorPos.USER32 ref: 004237FF
                                                                                                                                                                                  • WindowFromPoint.USER32(?,?), ref: 0042380C
                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042381A
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00423821
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000084,?,?), ref: 0042383A
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423851
                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 00423863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1770779139-0
                                                                                                                                                                                  • Opcode ID: fba33d789b5f9dac747d9de6da7c9d6faa9ef010ba63e634e26d5bfbf65e3e3b
                                                                                                                                                                                  • Instruction ID: d55a13ab3e3fc67d9c1f0c697d1027359b93869cc9afd0973a071b09e334c979
                                                                                                                                                                                  • Opcode Fuzzy Hash: fba33d789b5f9dac747d9de6da7c9d6faa9ef010ba63e634e26d5bfbf65e3e3b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9901D42230521036D6207B7A5C86E2F22E8CBC5B65F51443FB609BF282D93D8C01976D
                                                                                                                                                                                  Function 00496C14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll), ref: 00496C24
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00496C31
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00496C3E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                  • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                                                                                                  • API String ID: 667068680-2254406584
                                                                                                                                                                                  • Opcode ID: 1a62ebb246959f38fae6f97a16ae9b6e3f147e8fdc483f677f644595477796c0
                                                                                                                                                                                  • Instruction ID: 0100053a3692f287516410ec157e21cb1b88c24c6f2ed11ec452f60a58bd69cd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a62ebb246959f38fae6f97a16ae9b6e3f147e8fdc483f677f644595477796c0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5AF0F692701B1526DA1025764C81B7B698CCBC27A0F060037BD85A7382E9AD9C0552AD
                                                                                                                                                                                  Function 0045D984 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045D98D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045D99D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045D9AD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                  • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                                                                                                  • API String ID: 190572456-508647305
                                                                                                                                                                                  • Opcode ID: a120c3d2ef62b36cbcf1f94c94fb794ce275c00622819f97a022044a312cbe17
                                                                                                                                                                                  • Instruction ID: 0705cba7109997b41c54f5ec5154c4026f190107a5f336fc7dc4235633f43cad
                                                                                                                                                                                  • Opcode Fuzzy Hash: a120c3d2ef62b36cbcf1f94c94fb794ce275c00622819f97a022044a312cbe17
                                                                                                                                                                                  • Instruction Fuzzy Hash: E9F030F1901620EBF314EF77AC457273695EBA4302F14843BA445E11B2D7BA085AEA2C
                                                                                                                                                                                  Function 0045DE84 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045DE8D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DE9D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DEAD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc
                                                                                                                                                                                  • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                                                                                                  • API String ID: 190572456-212574377
                                                                                                                                                                                  • Opcode ID: 69782b4271ac4a522c1cbf050024bd159fbeab52ed8ba1f2270972ee26ec74bc
                                                                                                                                                                                  • Instruction ID: ffc1661d06bbefe96a91e36acebf6432405697aaa326f86a6f465272ccde7cfc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 69782b4271ac4a522c1cbf050024bd159fbeab52ed8ba1f2270972ee26ec74bc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 84F01DB1D00A18DED724DF37AC4A72736D5EF74316F08843BA9465A2A2D7B80858DF1D
                                                                                                                                                                                  Function 0042EE6C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000,00482671), ref: 0042EE85
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE8B
                                                                                                                                                                                  • InterlockedExchange.KERNEL32(0049D66C,00000001), ref: 0042EE9C
                                                                                                                                                                                    • Part of subcall function 0042EDFC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EEC0,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EE12
                                                                                                                                                                                    • Part of subcall function 0042EDFC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE18
                                                                                                                                                                                    • Part of subcall function 0042EDFC: InterlockedExchange.KERNEL32(0049D664,00000001), ref: 0042EE29
                                                                                                                                                                                  • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EEB0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                                                                                                  • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                                                                                                  • API String ID: 142928637-2676053874
                                                                                                                                                                                  • Opcode ID: 147ab314087a4e3dcf6e16000bf7a92f8a6b53821ee1abd9afb0821482d3c5ed
                                                                                                                                                                                  • Instruction ID: d923442659e3b0e51499426f76f6993fec2ee5a704375d7ef0c30b5e995126c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 147ab314087a4e3dcf6e16000bf7a92f8a6b53821ee1abd9afb0821482d3c5ed
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1AE06DF1B40724AAEF107B766C86B9B2668EB50769F55003BF104A61E1C7FD0C408A6C
                                                                                                                                                                                  Function 00479E68 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0049A50C), ref: 00479E6E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00479E7B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00479E8B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                  • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                                                                                                  • API String ID: 667068680-222143506
                                                                                                                                                                                  • Opcode ID: 4eb8c5683a80416fa23ca28207be772c3a68f7a3a60c78b74a0383d4a233a3f9
                                                                                                                                                                                  • Instruction ID: 2eb801612c02c2f681ec2550ef92dd2b82403b3208254216f30f7223daafca7c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4eb8c5683a80416fa23ca28207be772c3a68f7a3a60c78b74a0383d4a233a3f9
                                                                                                                                                                                  • Instruction Fuzzy Hash: BFC0C9E1680710A9D600F7725C82DBB2548D510B25310883FB499651D2E7BD0C144A2C
                                                                                                                                                                                  Function 0041BABC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFocus.USER32 ref: 0041BB95
                                                                                                                                                                                  • GetDC.USER32(?), ref: 0041BBA1
                                                                                                                                                                                  • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BBD6
                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 0041BBE2
                                                                                                                                                                                  • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC10
                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BC44
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3275473261-0
                                                                                                                                                                                  • Opcode ID: 2f364fcd98ee6a1d62b7c654a57492f5fb96a9e1e42606f87797115b42be741f
                                                                                                                                                                                  • Instruction ID: d5c29bb792210f064481fc70285f12689ccfb8d13ad776c980584781b3891df8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f364fcd98ee6a1d62b7c654a57492f5fb96a9e1e42606f87797115b42be741f
                                                                                                                                                                                  • Instruction Fuzzy Hash: E4511E74A002099FCF11DFA9C895AEEBBB5FF49704F10406AF500A7790D779AD81CBA9
                                                                                                                                                                                  Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFocus.USER32 ref: 0041BE67
                                                                                                                                                                                  • GetDC.USER32(?), ref: 0041BE73
                                                                                                                                                                                  • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BEAD
                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 0041BEB9
                                                                                                                                                                                  • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BEDD
                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BF11
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3275473261-0
                                                                                                                                                                                  • Opcode ID: 6a42abb991037a6bf202db87d3771568c300b6986fb43c24206afdf92edcb334
                                                                                                                                                                                  • Instruction ID: 6bf5c6e251c24ad455d3524f1730cbba616f151bd8f8db37d5e0169c444cf9bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a42abb991037a6bf202db87d3771568c300b6986fb43c24206afdf92edcb334
                                                                                                                                                                                  • Instruction Fuzzy Hash: FD511875A002089FCB11DFA9C891AAEBBF5FF49700F11846AF504EB390D7789D40CBA8
                                                                                                                                                                                  Function 0041B958 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFocus.USER32 ref: 0041B9CE
                                                                                                                                                                                  • GetDC.USER32(?), ref: 0041B9DA
                                                                                                                                                                                  • GetDeviceCaps.GDI32(?,00000068), ref: 0041B9F6
                                                                                                                                                                                  • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA13
                                                                                                                                                                                  • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA2A
                                                                                                                                                                                  • ReleaseDC.USER32(?,?), ref: 0041BA76
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2502006586-0
                                                                                                                                                                                  • Opcode ID: aaad342ca44b07dec6af6486a8a42c1cb8d3efc41e270446eeb3d15c1de1c0ff
                                                                                                                                                                                  • Instruction ID: 59801f7e5fcc4ac8ef53bb63f5e7b2fd9dc64a74171921ba3453a8653c00992f
                                                                                                                                                                                  • Opcode Fuzzy Hash: aaad342ca44b07dec6af6486a8a42c1cb8d3efc41e270446eeb3d15c1de1c0ff
                                                                                                                                                                                  • Instruction Fuzzy Hash: A941C371A042189FCB10DFB9C885A9FBBB4EF49740F1484AAF940EB351D2389D11CBA5
                                                                                                                                                                                  Function 0045D848 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetLastError.KERNEL32(00000057,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8B3
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D980,?,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8F2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                                                                                                  • API String ID: 1452528299-1580325520
                                                                                                                                                                                  • Opcode ID: bceaa7c9d38e855be30fb0ce12922fb4a40a0d74626b7c5ce76b3f9998da2675
                                                                                                                                                                                  • Instruction ID: 7ee2480e64cf5dcc37247868779a06df4fe5ff89f2b42202383772de8024ccfa
                                                                                                                                                                                  • Opcode Fuzzy Hash: bceaa7c9d38e855be30fb0ce12922fb4a40a0d74626b7c5ce76b3f9998da2675
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4811BB75A04204AFE731EBE1C941B9E76ADDF44306F604077AD0496383D67C5F0A952D
                                                                                                                                                                                  Function 0041C1DC Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0041C225
                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000C), ref: 0041C22F
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041C239
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041C260
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041C26D
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041C2A6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CapsDeviceMetricsSystem$Release
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 447804332-0
                                                                                                                                                                                  • Opcode ID: 3e92d3a5d6c5ecb792e0ebd5600fae34c9b68402c42568e6e1a494463c386ac3
                                                                                                                                                                                  • Instruction ID: bd62dbbe377736d475eb9c8390e540ebf9edbe2df99a0055a8dbd9c6863756d8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e92d3a5d6c5ecb792e0ebd5600fae34c9b68402c42568e6e1a494463c386ac3
                                                                                                                                                                                  • Instruction Fuzzy Hash: CA214A74E44608AFEB00EFE9C942BEEB7B4EB48700F10806AF514B7381D6785940CB69
                                                                                                                                                                                  Function 00474770 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 71COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0045D848: SetLastError.KERNEL32(00000057,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8B3
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00474844,?,?,0049E1E4,00000000), ref: 004747FD
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,00000000,00474844,?,?,0049E1E4,00000000), ref: 00474813
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Could not set permissions on the registry key because it currently does not exist., xrefs: 00474807
                                                                                                                                                                                  • Failed to set permissions on registry key (%d)., xrefs: 00474824
                                                                                                                                                                                  • Setting permissions on registry key: %s\%s, xrefs: 004747C2
                                                                                                                                                                                  • I, xrefs: 00474785
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s$I
                                                                                                                                                                                  • API String ID: 1452528299-1959139981
                                                                                                                                                                                  • Opcode ID: fa1a9a8d389e764d463da442ef7f1c9e05787aef6c03ccc219f4a1874d89d582
                                                                                                                                                                                  • Instruction ID: 89f83d431bb9d789a293ecef52b9ab2aae7d8ed3921fa29d9781309811a141fd
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa1a9a8d389e764d463da442ef7f1c9e05787aef6c03ccc219f4a1874d89d582
                                                                                                                                                                                  • Instruction Fuzzy Hash: 15217774A042485FDB00EBA9C8416FEBBE8DB89314F51817BE414E7392DB785D058BAA
                                                                                                                                                                                  Function 0047FA5C Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0047FA6A
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046DA09), ref: 0047FA90
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0047FAA0
                                                                                                                                                                                  • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047FAC1
                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047FAD5
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047FAF1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Long$Show
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3609083571-0
                                                                                                                                                                                  • Opcode ID: abe530f147a2c3f98821beb69050e02df951cc1f08551c366297f014f152c27b
                                                                                                                                                                                  • Instruction ID: ffd9c37a1d4b3a018da72acb707aca8a1d598a80d0625303fdebb2ead6bb840a
                                                                                                                                                                                  • Opcode Fuzzy Hash: abe530f147a2c3f98821beb69050e02df951cc1f08551c366297f014f152c27b
                                                                                                                                                                                  • Instruction Fuzzy Hash: D301E9B6A54210ABD600DB78CD41F6637E8AB0C310F0A4776FA5DDF3E3C679D8048A08
                                                                                                                                                                                  Function 0041B6C0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0041AB30: CreateBrushIndirect.GDI32 ref: 0041AB9B
                                                                                                                                                                                  • UnrealizeObject.GDI32(00000000), ref: 0041B6CC
                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0041B6DE
                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041B701
                                                                                                                                                                                  • SetBkMode.GDI32(?,00000002), ref: 0041B70C
                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0041B727
                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0041B732
                                                                                                                                                                                    • Part of subcall function 0041A4A8: GetSysColor.USER32(?), ref: 0041A4B2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3527656728-0
                                                                                                                                                                                  • Opcode ID: 591f5e0a38fc1ca3dbe863e806ec08e439b2c286ec032ca355b2d19c4403f824
                                                                                                                                                                                  • Instruction ID: 4060aa1d5abe481981ad85160ceff6bfe730d60da31349b060da60163fdb8f1a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 591f5e0a38fc1ca3dbe863e806ec08e439b2c286ec032ca355b2d19c4403f824
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF0CD75601100ABDE04FFBADACAE4B77989F043097048057B908DF197CA7CE8A08B3A
                                                                                                                                                                                  Function 00499644 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                  • ShowWindow.USER32(?,00000005,00000000,004998A9,?,?,00000000), ref: 0049967A
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                    • Part of subcall function 004076F8: SetCurrentDirectoryA.KERNEL32(00000000,?,004996A2,00000000,00499875,?,?,00000005,00000000,004998A9,?,?,00000000), ref: 00407703
                                                                                                                                                                                    • Part of subcall function 0042D89C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D92A,?,?,?,00000001,?,0045681A,00000000,00456882), ref: 0042D8D1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                                                                                                  • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                                                                                                  • API String ID: 3312786188-1660910688
                                                                                                                                                                                  • Opcode ID: b59174c22afc0cb4d84e45ba041c7c5ab1d45157887829cd53cd9da25efcf179
                                                                                                                                                                                  • Instruction ID: 4da38b6a349b60b5a60df07f01633cb26419001f7db46277bbb3aa66fc0d4d29
                                                                                                                                                                                  • Opcode Fuzzy Hash: b59174c22afc0cb4d84e45ba041c7c5ab1d45157887829cd53cd9da25efcf179
                                                                                                                                                                                  • Instruction Fuzzy Hash: A1313074A10114AFCB01FFAACC5295E7B75FB49318B51887AF800A7352EB39AD04CB59
                                                                                                                                                                                  Function 0042EEF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EF2A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EF30
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EF59
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                                                                                                  • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                                                                                                  • API String ID: 828529508-2866557904
                                                                                                                                                                                  • Opcode ID: 0a1a7f0b35af10bec52672da06a2906d532a44599cf47327945e1bb0849fc05d
                                                                                                                                                                                  • Instruction ID: 50bd107db23699165094570332042a9a2090c4fb9dd7a9a9ac1c8e9692f1be1d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a1a7f0b35af10bec52672da06a2906d532a44599cf47327945e1bb0849fc05d
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7F0F0E134062237E620B27FAC86F7F55CC8F94729F150036B608EA2C2EA7C9905426F
                                                                                                                                                                                  Function 004587F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458824
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00458845
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00458878), ref: 0045886B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                                                                                                  • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                                                                                                  • API String ID: 2573145106-3235461205
                                                                                                                                                                                  • Opcode ID: b59af786c083e6c34fb912d8588e02e36760330094b26c60bb33ca54220cd61b
                                                                                                                                                                                  • Instruction ID: 4c05e8df3edacc9d455a33c3a45c96e3e51f685ffe720196e50d624f784124f1
                                                                                                                                                                                  • Opcode Fuzzy Hash: b59af786c083e6c34fb912d8588e02e36760330094b26c60bb33ca54220cd61b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E01A274A00204AFDB10FBA98C52A1E73A8EB45715FA0057AFD10F73D2DE39AD048A28
                                                                                                                                                                                  Function 0042EDFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EEC0,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EE12
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE18
                                                                                                                                                                                  • InterlockedExchange.KERNEL32(0049D664,00000001), ref: 0042EE29
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                                                                                                  • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                                                                                                  • API String ID: 3478007392-2498399450
                                                                                                                                                                                  • Opcode ID: 2ae9261505c9f67baa706182e7b3239f9e45ce3b55a3ca64683e2b7ae62260b5
                                                                                                                                                                                  • Instruction ID: 37ab6c1781d9ace597be808b0f82a5ae7151ca86b9dce60fc565c366ef428a29
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ae9261505c9f67baa706182e7b3239f9e45ce3b55a3ca64683e2b7ae62260b5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 76E0ECB1B41320AAEA1137726C8AF5726559B2471DF950437F108671E2C6FC1C84C91D
                                                                                                                                                                                  Function 00478DDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00478DE4
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00478EDB,0049E0AC,00000000), ref: 00478DF7
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00478DFD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                                                                                                  • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                                                                                                  • API String ID: 1782028327-3855017861
                                                                                                                                                                                  • Opcode ID: baaddf851ddbcde89e908f2650d0d7dd5a96bc2ff5b27e890b2c54087906d01e
                                                                                                                                                                                  • Instruction ID: c95bb4f0dd120990503e7052118a19d741abdcedadff55ee9c16c600a1fe714f
                                                                                                                                                                                  • Opcode Fuzzy Hash: baaddf851ddbcde89e908f2650d0d7dd5a96bc2ff5b27e890b2c54087906d01e
                                                                                                                                                                                  • Instruction Fuzzy Hash: EFD09EB168060165E910B3B69D4AE9B235C89847647248C3FB458E2586DF7CD894457D
                                                                                                                                                                                  Function 0041707C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • BeginPaint.USER32(00000000,?), ref: 004170A2
                                                                                                                                                                                  • SaveDC.GDI32(?), ref: 004170D3
                                                                                                                                                                                  • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00417195), ref: 00417134
                                                                                                                                                                                  • RestoreDC.GDI32(?,?), ref: 0041715B
                                                                                                                                                                                  • EndPaint.USER32(00000000,?,0041719C,00000000,00417195), ref: 0041718F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3808407030-0
                                                                                                                                                                                  • Opcode ID: d3cb791d7785fb4fc35c1181fb0c895e71633609ec102f90fedaf0bd5e116ec9
                                                                                                                                                                                  • Instruction ID: 2d0e89e5730252ba578d2efb55dda1d595b63161fefa896777b830b1b9f6ffa1
                                                                                                                                                                                  • Opcode Fuzzy Hash: d3cb791d7785fb4fc35c1181fb0c895e71633609ec102f90fedaf0bd5e116ec9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B412170A08204AFDB04DFA5C985FAA77F9FF48314F1544AEE4059B362C7789D85CB18
                                                                                                                                                                                  Function 00414C50 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: eea1a8f7c9869be2cd73ede4559f3beb1d50bc075a71ac7122178a7397227914
                                                                                                                                                                                  • Instruction ID: f067b59d413d1c4671d71e094a7f62e666ee1dcd53ee7561759f320ec3b01eff
                                                                                                                                                                                  • Opcode Fuzzy Hash: eea1a8f7c9869be2cd73ede4559f3beb1d50bc075a71ac7122178a7397227914
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F314F70605740AFC720EF69D984BABB7E8AF89314F04891EF9D5C7751D638EC808B59
                                                                                                                                                                                  Function 0041C008 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000B), ref: 0041C01A
                                                                                                                                                                                  • GetSystemMetrics.USER32(0000000C), ref: 0041C024
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0041C062
                                                                                                                                                                                  • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041C0A9
                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0041C0EA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1095203571-0
                                                                                                                                                                                  • Opcode ID: e9779dfffb4f21f61e506df0ae377518d2b748fc237c0f7807fdb933fd26a7eb
                                                                                                                                                                                  • Instruction ID: f919feb2cfdf9cb53746996a9db251afb7e4286801c3fccb61a5d2ca1bdc7bf1
                                                                                                                                                                                  • Opcode Fuzzy Hash: e9779dfffb4f21f61e506df0ae377518d2b748fc237c0f7807fdb933fd26a7eb
                                                                                                                                                                                  • Instruction Fuzzy Hash: A3313E74A40205EFDB04DFA5C981AAEB7F5EB48704F11856AF510AB381D7789E80DB98
                                                                                                                                                                                  Function 00429C1C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C58
                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C87
                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429CA3
                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429CCE
                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429CEC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                  • Opcode ID: 6f2f314a4364933bab3318e288dd70a8d34a507adfc9435400f142d56b41fc4f
                                                                                                                                                                                  • Instruction ID: 0478e77fbb77d274a7bfb783d11adee83c5a4069cdde94f0426c34ba09fc350e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f2f314a4364933bab3318e288dd70a8d34a507adfc9435400f142d56b41fc4f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 222190707107147AE710AFA7DC82F4B76EC9B40704F90443E7906AB2D2DAB8ED41861D
                                                                                                                                                                                  Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                                                                                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 262959230-0
                                                                                                                                                                                  • Opcode ID: 67daf853af92f19bd36af3157ccd0aae30d6e3cf77030be0de76c974993ddc75
                                                                                                                                                                                  • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                                                                                                  • Opcode Fuzzy Hash: 67daf853af92f19bd36af3157ccd0aae30d6e3cf77030be0de76c974993ddc75
                                                                                                                                                                                  • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                                                                                                  Function 00414830 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414869
                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 00414871
                                                                                                                                                                                  • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414885
                                                                                                                                                                                  • RealizePalette.GDI32(00000000), ref: 0041488B
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00414896
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Palette$RealizeSelect$Release
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2261976640-0
                                                                                                                                                                                  • Opcode ID: fa3b9403a46652b92fdf4541f93f936de0ad42420f7af6617674ce52f43e61da
                                                                                                                                                                                  • Instruction ID: aeb03e62d8ddadf83c94429ec28f403801e3a8d1cb621d3e7bfc21001d019430
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa3b9403a46652b92fdf4541f93f936de0ad42420f7af6617674ce52f43e61da
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3201DF7520C3806AD600B63D8C85A9F6BEC9FCA314F15946EF484DB3C2CA7AC8018761
                                                                                                                                                                                  Function 004073F4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407453
                                                                                                                                                                                  • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 004074CD
                                                                                                                                                                                  • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407525
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Enum$NameOpenResourceUniversal
                                                                                                                                                                                  • String ID: Z
                                                                                                                                                                                  • API String ID: 3604996873-1505515367
                                                                                                                                                                                  • Opcode ID: ef725f5677505cc1ece444b72ce86a205eac34b3eeee73834d2775d04d947be5
                                                                                                                                                                                  • Instruction ID: 2310e9831ee7c99a0a8649866770d0a98cc310fb2cf5807583ec8a4e9daa3455
                                                                                                                                                                                  • Opcode Fuzzy Hash: ef725f5677505cc1ece444b72ce86a205eac34b3eeee73834d2775d04d947be5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41519070E04208AFDB11DF99C845A9EBBB9EB49314F1448BAE400B72D1D778AE418B5A
                                                                                                                                                                                  Function 0044D598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetRectEmpty.USER32(?), ref: 0044D626
                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D651
                                                                                                                                                                                  • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D6D9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DrawText$EmptyRect
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 182455014-2867612384
                                                                                                                                                                                  • Opcode ID: 118ce66f65fc30a3616beabd50b84bb536d9a0cd1ba8fe4db387a67cc8cfb132
                                                                                                                                                                                  • Instruction ID: 5f00bac91b28cdab45bfb944687f04cfacea2c0ae70fe3b1c590f7ffbabf3d5b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 118ce66f65fc30a3616beabd50b84bb536d9a0cd1ba8fe4db387a67cc8cfb132
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C517271E00248AFDB11DFA9C885BDEBBF8AF49304F15847AE805EB252D7389944CB64
                                                                                                                                                                                  Function 0042F400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 0042F42A
                                                                                                                                                                                    • Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7
                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 0042F44D
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0042F52C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                                                                                                                  • String ID: ...\
                                                                                                                                                                                  • API String ID: 3133960002-983595016
                                                                                                                                                                                  • Opcode ID: d1b66580af5f8b118005d8afe4c27e7b3c53fe3fbe43e40283f5066ed8c29eea
                                                                                                                                                                                  • Instruction ID: 21909acc4746510f695b318a8719c62c66087a48e53e42bcbae852ee139bb065
                                                                                                                                                                                  • Opcode Fuzzy Hash: d1b66580af5f8b118005d8afe4c27e7b3c53fe3fbe43e40283f5066ed8c29eea
                                                                                                                                                                                  • Instruction Fuzzy Hash: E1314270B00229ABDB11EF9AD851BAEB7F9EB48308F90447BF410A7291C7785E45CA59
                                                                                                                                                                                  Function 00454024 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454113
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454123
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCreateFileHandle
                                                                                                                                                                                  • String ID: .tmp$_iu
                                                                                                                                                                                  • API String ID: 3498533004-10593223
                                                                                                                                                                                  • Opcode ID: 2a078343c1ee0e1e426b7682a7e14f96dd8f6dbcb1786daf15018a65187b9764
                                                                                                                                                                                  • Instruction ID: 59545500d2eeb09234598e35ee9a1648d273934097dc79d2b475452d37d3be57
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a078343c1ee0e1e426b7682a7e14f96dd8f6dbcb1786daf15018a65187b9764
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8431C570E00209ABCF11EB95C942BEEBBB5AF54309F20452AF900BB3D2D7385F459759
                                                                                                                                                                                  Function 00416860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetClassInfoA.USER32(00400000,?,?), ref: 004168CF
                                                                                                                                                                                  • UnregisterClassA.USER32(?,00400000), ref: 004168FB
                                                                                                                                                                                  • RegisterClassA.USER32(?), ref: 0041691E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Class$InfoRegisterUnregister
                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                  • API String ID: 3749476976-2766056989
                                                                                                                                                                                  • Opcode ID: 4396ba66f38c50fdb8df942a61c3a5bf44a39cad718591ab6b3f39f0828efa85
                                                                                                                                                                                  • Instruction ID: c7ae62685634f2feb307fa6559a912500e41153472d9d2bb59c10c8b55fc2cbc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4396ba66f38c50fdb8df942a61c3a5bf44a39cad718591ab6b3f39f0828efa85
                                                                                                                                                                                  • Instruction Fuzzy Hash: C6318E706043008BDB10EF68C885B9B77E9AB89308F00457FF985DB392DB39DD458B5A
                                                                                                                                                                                  Function 00499AF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000,0049A448,00000000,00499BEE,?,?,00000000,0049D62C), ref: 00499B68
                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049A448,00000000,00499BEE,?,?,00000000,0049D62C), ref: 00499B91
                                                                                                                                                                                  • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00499BAA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Attributes$Move
                                                                                                                                                                                  • String ID: isRS-%.3u.tmp
                                                                                                                                                                                  • API String ID: 3839737484-3657609586
                                                                                                                                                                                  • Opcode ID: 88eac6fa2fd00287dbaa55a3b9bd3a1b65409462b653a3bc96acdfff81af7d31
                                                                                                                                                                                  • Instruction ID: 0b841a000e743cb9e8da0cfb8565bc532e10ded45a2cf007f5af54a585f9ef1c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 88eac6fa2fd00287dbaa55a3b9bd3a1b65409462b653a3bc96acdfff81af7d31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 54212171D14119ABCF00EBA9D881AAFBBB8BB58314F11457EA814B72D1D63C6E018A59
                                                                                                                                                                                  Function 00457398 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78
                                                                                                                                                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004573EC
                                                                                                                                                                                  • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00457419
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                                                                                                  • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                                                                                                  • API String ID: 1312246647-2435364021
                                                                                                                                                                                  • Opcode ID: 18df84fe9d86e2862f6386675fb05e4dd3e507c86707e069f339337bab75705e
                                                                                                                                                                                  • Instruction ID: 195147ed2e8b8ae7ced7006412bb8845aee82bd7b9f018cfdf51d436bcb33606
                                                                                                                                                                                  • Opcode Fuzzy Hash: 18df84fe9d86e2862f6386675fb05e4dd3e507c86707e069f339337bab75705e
                                                                                                                                                                                  • Instruction Fuzzy Hash: C911D630B04204BFDB01DFA6DC51A4EBBADEB4A305F108076FD04D3652DA389E04C618
                                                                                                                                                                                  Function 00457950 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045796A
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457A07
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457996
                                                                                                                                                                                  • Failed to create DebugClientWnd, xrefs: 004579D0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                  • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                                                                                                  • API String ID: 3850602802-3720027226
                                                                                                                                                                                  • Opcode ID: 925f9ffdcd425408a01fa4f98f39528b3d7bbeff17d45d483e1d3833f7d96f07
                                                                                                                                                                                  • Instruction ID: b12cfe17c44d9b7297a0742d7ace06ebf4c30bfebd2037bde928bbf0dce3c7c1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 925f9ffdcd425408a01fa4f98f39528b3d7bbeff17d45d483e1d3833f7d96f07
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1311C4B16082509BE310AB299C81B5F77949B54319F04443BF9849F383D3B99C18C7AE
                                                                                                                                                                                  Function 00479934 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                  • GetFocus.USER32 ref: 0047999F
                                                                                                                                                                                  • GetKeyState.USER32(0000007A), ref: 004799B1
                                                                                                                                                                                  • WaitMessage.USER32(?,00000000,004799D8,?,00000000,004799FF,?,?,00000001,00000000,?,?,0048174F,00000000,00482671), ref: 004799BB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FocusMessageStateTextWaitWindow
                                                                                                                                                                                  • String ID: Wnd=$%x
                                                                                                                                                                                  • API String ID: 1381870634-2927251529
                                                                                                                                                                                  • Opcode ID: c7714a687ecd515da0b3d99d6b7bbb34f6b1e8ac2199ab9b74b109a4a99a3c73
                                                                                                                                                                                  • Instruction ID: 0ce6ec70c77c992717eb959f135b56f98f7128e6f958ad4e09c8363bf76ba6b5
                                                                                                                                                                                  • Opcode Fuzzy Hash: c7714a687ecd515da0b3d99d6b7bbb34f6b1e8ac2199ab9b74b109a4a99a3c73
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0511A3B0604244AFDB00FF69D842ADEB7B8EB49704B51C5BBF508E7381D738AD00CA69
                                                                                                                                                                                  Function 0046F428 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046F430
                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046F43F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Time$File$LocalSystem
                                                                                                                                                                                  • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                                                                                                  • API String ID: 1748579591-1013271723
                                                                                                                                                                                  • Opcode ID: b3309c05ae6708dc9511693656f5da53199351be95235e45feba58672e8eaade
                                                                                                                                                                                  • Instruction ID: b1f3f51ab816b97a6d4fd488e4796d5760ecc8acc51059d8482d4647201c4143
                                                                                                                                                                                  • Opcode Fuzzy Hash: b3309c05ae6708dc9511693656f5da53199351be95235e45feba58672e8eaade
                                                                                                                                                                                  • Instruction Fuzzy Hash: F111F5A040C3919AD340DF2AC44072BBAE4AB99708F44896FF9C8D6381E779C948DB67
                                                                                                                                                                                  Function 004546DE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004546EB
                                                                                                                                                                                    • Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB
                                                                                                                                                                                  • MoveFileA.KERNEL32(00000000,00000000), ref: 00454710
                                                                                                                                                                                    • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$AttributesDeleteErrorLastMove
                                                                                                                                                                                  • String ID: DeleteFile$MoveFile
                                                                                                                                                                                  • API String ID: 3024442154-139070271
                                                                                                                                                                                  • Opcode ID: cd51b7d6411f51ddff926bfb4089fa62fb2906befb808aa5ea3769e8c14f62c4
                                                                                                                                                                                  • Instruction ID: 274a2e09890dd6abd1f20e60e4879b25532b4b8e44e7f96c1dbb1ac345d4d7c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: cd51b7d6411f51ddff926bfb4089fa62fb2906befb808aa5ea3769e8c14f62c4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 53F08B746141445BE701FBA5D94265FA7ECEB8431EF50403BB800BB6C3DB3C9D08492D
                                                                                                                                                                                  Function 00484FB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00484FF1
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485014
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • CSDVersion, xrefs: 00484FE8
                                                                                                                                                                                  • System\CurrentControlSet\Control\Windows, xrefs: 00484FBE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                  • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                                                                                                  • API String ID: 3677997916-1910633163
                                                                                                                                                                                  • Opcode ID: 588979afecb5e58398fc217bb96039a03130116915b658699a0af779137a0fe4
                                                                                                                                                                                  • Instruction ID: 3d9820a6fde95d05ac542d305ffe0a0e534a7c1f4e1b62a11fb8fb702f882c01
                                                                                                                                                                                  • Opcode Fuzzy Hash: 588979afecb5e58398fc217bb96039a03130116915b658699a0af779137a0fe4
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7F04975A40608E6DF10FAD18C55BDF73BCAB05704F604967E510E7281E7399A049BAE
                                                                                                                                                                                  Function 00465214 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0044BB28: LoadLibraryA.KERNEL32(00000000,00000000,0044BF0B,?,?,?,?,00000000,00000000,?,0044FD4D,0049A4DA), ref: 0044BB8A
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BBA2
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BBB4
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BBC6
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BBD8
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBEA
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBFC
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BC0E
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BC20
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BC32
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BC44
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BC56
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BC68
                                                                                                                                                                                    • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BC7A
                                                                                                                                                                                    • Part of subcall function 004651E8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004651FB
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,0046528A,?,?,?,?,00000000,00000000,?,0049A502), ref: 0046525F
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00465265
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystem
                                                                                                                                                                                  • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                                                                                  • API String ID: 1442766254-2683653824
                                                                                                                                                                                  • Opcode ID: 19c949dbb77f1a78b4d411d9c1a27eb2db95fd8b53bd2c0869d9e8e17518ae75
                                                                                                                                                                                  • Instruction ID: 415eb7409d81aa8454bb2dd4c72fa8b3e514a75415032da6adba06dceafb32ff
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19c949dbb77f1a78b4d411d9c1a27eb2db95fd8b53bd2c0869d9e8e17518ae75
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F04470640A08BFD700FB62DC53F5E7BACEB45718FA044B7B400B6591EA7C9E04892D
                                                                                                                                                                                  Function 00459B60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459C9D,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459BAD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                  • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                                                                                                  • API String ID: 47109696-2631785700
                                                                                                                                                                                  • Opcode ID: b627f2800f19387767bd04b51e727e1d4b1db306c8c191df54aff93f44ad508f
                                                                                                                                                                                  • Instruction ID: 9ff5366a1843594bb80037a440052cb9e88b760eaf161db27522a6c9f4c26c6f
                                                                                                                                                                                  • Opcode Fuzzy Hash: b627f2800f19387767bd04b51e727e1d4b1db306c8c191df54aff93f44ad508f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AF0AF31300121EBEB10EB17AC41B5E6789DB91316F18443BFA81C7253F6BCDC46862E
                                                                                                                                                                                  Function 0042DD40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004542C2,00000000,00454365,?,?,00000000,00000000,00000000,00000000,00000000,?,00454755,00000000), ref: 0042DD5A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DD60
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                  • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                                                                                                  • API String ID: 1646373207-4063490227
                                                                                                                                                                                  • Opcode ID: 5abbe40046ba00350f24005cef1803a495b962ffc597d09d0b22329c5a666800
                                                                                                                                                                                  • Instruction ID: 2c7f72bc3db4c40d16b1b765d912767d34fa58fe4c646cc18e222b4ed7f6fe44
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5abbe40046ba00350f24005cef1803a495b962ffc597d09d0b22329c5a666800
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FE02660B60F1113D70071BA5C8379B208D4B84718F90043F3984F52C6DDBDD9490A6E
                                                                                                                                                                                  Function 0042EFA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EF20), ref: 0042EFB2
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EFB8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                  • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                                                                                                  • API String ID: 1646373207-260599015
                                                                                                                                                                                  • Opcode ID: baf4c7a8591a40d7dc6da6f15e5b4dc27338d30cfca151258ddc16df194b77c5
                                                                                                                                                                                  • Instruction ID: 02ec898c6c75b1ba26151a3eebd585b8454ae7040b346800783755fde70e6890
                                                                                                                                                                                  • Opcode Fuzzy Hash: baf4c7a8591a40d7dc6da6f15e5b4dc27338d30cfca151258ddc16df194b77c5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 01D0A993302B3332AA1071FB3DC19BB02CC8D202AA3670033F600E2280EA8CCC4012AC
                                                                                                                                                                                  Function 0044FD1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049A4DA), ref: 0044FD57
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FD5D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                  • String ID: NotifyWinEvent$user32.dll
                                                                                                                                                                                  • API String ID: 1646373207-597752486
                                                                                                                                                                                  • Opcode ID: 21449735c4530238711e5baf3f7e6c6119c4b5ed48e58139290ccade4ce38153
                                                                                                                                                                                  • Instruction ID: af032255d430417ffea63134fe83afc5c4b4dbba1536058c56e775f9f11b8dd5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 21449735c4530238711e5baf3f7e6c6119c4b5ed48e58139290ccade4ce38153
                                                                                                                                                                                  • Instruction Fuzzy Hash: B2E012E0E417449AFB00BBB96D467193AD0EF6471DF10007FB540A6291C77C44489B1D
                                                                                                                                                                                  Function 0049A250 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049A530,00000001,00000000,0049A554), ref: 0049A25A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049A260
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                                                  • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                                                                                                  • API String ID: 1646373207-834958232
                                                                                                                                                                                  • Opcode ID: 51550ffda035ac84042d4bddea94f20537adf7cd2f58fd56988f617bc6aacde1
                                                                                                                                                                                  • Instruction ID: dac1c8ebddd32ae9bf6a035aad1c8d1f3cf840f271d0053423bdda14aa0d062e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 51550ffda035ac84042d4bddea94f20537adf7cd2f58fd56988f617bc6aacde1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 09B09281686A01509C4033F20C06A1B0E08484171871800B73400F12C6CE6E842404FF
                                                                                                                                                                                  Function 00476744 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042F2BC: GetTickCount.KERNEL32 ref: 0042F2C2
                                                                                                                                                                                    • Part of subcall function 0042F0D8: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042F10D
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,004768B9,?,?,0049E1E4,00000000), ref: 004767A2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CountErrorFileLastMoveTick
                                                                                                                                                                                  • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                                                                                                  • API String ID: 2406187244-2685451598
                                                                                                                                                                                  • Opcode ID: 60709b24bbd29ecba445f14f57d2c4ad189bd31ebd78b2e227524017e35208ed
                                                                                                                                                                                  • Instruction ID: 03a236e7dc5f504d91790a0ce298dd5dba96fa6117a2cc3ee4ad00c9fc2b7c38
                                                                                                                                                                                  • Opcode Fuzzy Hash: 60709b24bbd29ecba445f14f57d2c4ad189bd31ebd78b2e227524017e35208ed
                                                                                                                                                                                  • Instruction Fuzzy Hash: 53418474A006098BCB00EFA5D882ADE77B9EF48314F52853BE414B7391D7389E05CBAD
                                                                                                                                                                                  Function 00414148 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00414196
                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 0041424E
                                                                                                                                                                                    • Part of subcall function 00419310: 6FA0C6F0.COMCTL32(00000000,?,0041427E,?,?,?,?,00413F43,00000000,00413F56), ref: 0041932C
                                                                                                                                                                                    • Part of subcall function 00419310: ShowCursor.USER32(00000001,00000000,?,0041427E,?,?,?,?,00413F43,00000000,00413F56), ref: 00419349
                                                                                                                                                                                  • SetCursor.USER32(00000000,?,?,?,?,00413F43,00000000,00413F56), ref: 0041428C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CursorDesktopWindow$Show
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2074268717-0
                                                                                                                                                                                  • Opcode ID: cfce6284985b2a2f885b46e24aab87199b3bad27be3208afe6f8a3dae0a7e5f2
                                                                                                                                                                                  • Instruction ID: 6a264f145c0982e92da272f414c83554030b66ece25ea6070dcdf00fca6814f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: cfce6284985b2a2f885b46e24aab87199b3bad27be3208afe6f8a3dae0a7e5f2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 30414170A10151AFC710EF6DDD89B5677E5ABA9318B05807BE409CB366C738DC81CB1D
                                                                                                                                                                                  Function 00408EA4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408EC5
                                                                                                                                                                                  • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408F34
                                                                                                                                                                                  • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408FCF
                                                                                                                                                                                  • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040900E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LoadString$FileMessageModuleName
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 704749118-0
                                                                                                                                                                                  • Opcode ID: 6a14109298dd6aa5b23f5014bc90c14a5f309fa4690e2bc273b58c6e1dd153b9
                                                                                                                                                                                  • Instruction ID: d606a76aa49eec759d07c5becdfef17a6c6b9766ea912d15a143196380f0994c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a14109298dd6aa5b23f5014bc90c14a5f309fa4690e2bc273b58c6e1dd153b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: C73162706083815AD330EB65C945BDBB7D99F8A304F00483FB6C8D72D2DB799904876B
                                                                                                                                                                                  Function 0044EE9C Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044EEE5
                                                                                                                                                                                    • Part of subcall function 0044D528: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044D55A
                                                                                                                                                                                  • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EF69
                                                                                                                                                                                    • Part of subcall function 0042C004: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042C018
                                                                                                                                                                                  • IsRectEmpty.USER32(?), ref: 0044EF2B
                                                                                                                                                                                  • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044EF4E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 855768636-0
                                                                                                                                                                                  • Opcode ID: 6e26a94a7199d382ea3abf285ca1d810cec0835dc4ac21152864a4c17455089d
                                                                                                                                                                                  • Instruction ID: 5be5a2c99a49a2f339bd726f9f517b743d06364a043e5a66e7e3b57b404dc1d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e26a94a7199d382ea3abf285ca1d810cec0835dc4ac21152864a4c17455089d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B118C3170031027E610BA7E8C82B5F66C99B88748F01483FB60AEB387DDB8DC09835E
                                                                                                                                                                                  Function 0049720C Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OffsetRect.USER32(?,?,00000000), ref: 00497270
                                                                                                                                                                                  • OffsetRect.USER32(?,00000000,?), ref: 0049728B
                                                                                                                                                                                  • OffsetRect.USER32(?,?,00000000), ref: 004972A5
                                                                                                                                                                                  • OffsetRect.USER32(?,00000000,?), ref: 004972C0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: OffsetRect
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 177026234-0
                                                                                                                                                                                  • Opcode ID: 1a73e688525ba1e930e3dbf3898af9d30e9465d405d6debb224a7eeb0afca85c
                                                                                                                                                                                  • Instruction ID: e718e50738441f611e1ccbf74e0cde98489d487b8bfa6672397ae6e260ffa509
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a73e688525ba1e930e3dbf3898af9d30e9465d405d6debb224a7eeb0afca85c
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE214FB67142016BCB00DF69CD85E5BB7EEEBD4340F14CA2AF544C728AD634E9448796
                                                                                                                                                                                  Function 00417668 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCursorPos.USER32 ref: 004176B0
                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 004176F3
                                                                                                                                                                                  • GetLastActivePopup.USER32(?), ref: 0041771D
                                                                                                                                                                                  • GetForegroundWindow.USER32(?), ref: 00417724
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1959210111-0
                                                                                                                                                                                  • Opcode ID: 14110dda0b90429387dd3a163e0d8510df73624919390f4fd5eb2ebddd82d255
                                                                                                                                                                                  • Instruction ID: dbcb3e4d6cdf237ebd373b45723c7518e1d79ef9827cdcdbbe1e0fb97faef126
                                                                                                                                                                                  • Opcode Fuzzy Hash: 14110dda0b90429387dd3a163e0d8510df73624919390f4fd5eb2ebddd82d255
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8121CF303086018BC710EF29D980ADB73B1AB44768F52447BE8688B392D73DEC81CA8D
                                                                                                                                                                                  Function 00496EC4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00496ED9
                                                                                                                                                                                  • MulDiv.KERNEL32(50142444,00000008,?), ref: 00496EED
                                                                                                                                                                                  • MulDiv.KERNEL32(F6E65FE8,00000008,?), ref: 00496F01
                                                                                                                                                                                  • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00496F1F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 865696dda9c04e972e54b31ac7a717d8d8d580924cf1526e353e6871edb84c7d
                                                                                                                                                                                  • Instruction ID: e3308cc84e827548128d2b2e4dd5895a6eb2c6c5d9673f95432de963ba277a10
                                                                                                                                                                                  • Opcode Fuzzy Hash: 865696dda9c04e972e54b31ac7a717d8d8d580924cf1526e353e6871edb84c7d
                                                                                                                                                                                  • Instruction Fuzzy Hash: CB113372604204AFCF40DFA9D8C4D9B7BECEF4D324B15516AF918DB24AD634ED408BA4
                                                                                                                                                                                  Function 0041F8D0 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetClassInfoA.USER32(00400000,0041F8C0,?), ref: 0041F8F1
                                                                                                                                                                                  • UnregisterClassA.USER32(0041F8C0,00400000), ref: 0041F91A
                                                                                                                                                                                  • RegisterClassA.USER32(0049B598), ref: 0041F924
                                                                                                                                                                                  • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F95F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4025006896-0
                                                                                                                                                                                  • Opcode ID: ae6de89eb0d2e6a3729d1e0b10ea6149efd73b68be0a0487beae6f0a454497aa
                                                                                                                                                                                  • Instruction ID: 2f8fb42507e3cd1bc96778dfed7eead12d65e2047fb8f4462c71738803dd6c65
                                                                                                                                                                                  • Opcode Fuzzy Hash: ae6de89eb0d2e6a3729d1e0b10ea6149efd73b68be0a0487beae6f0a454497aa
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7012DB16141047BCB10FBA8ED81E9A379CD719318B11423BB505E72A1D739D8168BAC
                                                                                                                                                                                  Function 0040D460 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D477
                                                                                                                                                                                  • LoadResource.KERNEL32(00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?,?,0047DE64,0000000A,00000000), ref: 0040D491
                                                                                                                                                                                  • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?,?,0047DE64), ref: 0040D4AB
                                                                                                                                                                                  • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?), ref: 0040D4B5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                  • Opcode ID: 073da2e1467bd4923794a1699de9deb8666d8abafae58723814b459cf24724ae
                                                                                                                                                                                  • Instruction ID: 736189130eb46f944708fe8ab0dcf7c2da2e7d83e7efdb8d5663637d3260b2f8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 073da2e1467bd4923794a1699de9deb8666d8abafae58723814b459cf24724ae
                                                                                                                                                                                  • Instruction Fuzzy Hash: FCF04FB3A005046F8B04EE9DA881D5B76DCDE88364310013AFD08EB282DA38DD018B78
                                                                                                                                                                                  Function 00456538 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000,0045BFD1), ref: 00456574
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000), ref: 0045657D
                                                                                                                                                                                  • RemoveFontResourceA.GDI32(00000000), ref: 0045658A
                                                                                                                                                                                  • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045659E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4283692357-0
                                                                                                                                                                                  • Opcode ID: 77f16452261de92411383761736d4e3182d091853594e88ea7a4d07c86a218dd
                                                                                                                                                                                  • Instruction ID: 60fc6220e6421739c6cddc48edde2e304ed69df2a150d613f8e8855ad9854c81
                                                                                                                                                                                  • Opcode Fuzzy Hash: 77f16452261de92411383761736d4e3182d091853594e88ea7a4d07c86a218dd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 27F054B174531076EA10B6B6AC47F5B22CC8F54749F54483A7604EB2C3D57CDD04966D
                                                                                                                                                                                  Function 00470C50 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000), ref: 00470CA1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Failed to set NTFS compression state (%d)., xrefs: 00470CB2
                                                                                                                                                                                  • Unsetting NTFS compression on directory: %s, xrefs: 00470C87
                                                                                                                                                                                  • Setting NTFS compression on directory: %s, xrefs: 00470C6F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                                                                                                  • API String ID: 1452528299-1392080489
                                                                                                                                                                                  • Opcode ID: dfbe84044b29f3d57c509b65a983513d49cbe1f7a65d8e2e78e9d92552162f9b
                                                                                                                                                                                  • Instruction ID: 2f8c6a7a6e35e8588bbb9e762321129d74c961a1f58895d436786832a4f1a68a
                                                                                                                                                                                  • Opcode Fuzzy Hash: dfbe84044b29f3d57c509b65a983513d49cbe1f7a65d8e2e78e9d92552162f9b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 04018B30D09248AACB15D7ED94812DDFBE89F0D305F54C1EFA459E7342DF790A08879A
                                                                                                                                                                                  Function 004713FC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0047144D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Failed to set NTFS compression state (%d)., xrefs: 0047145E
                                                                                                                                                                                  • Unsetting NTFS compression on file: %s, xrefs: 00471433
                                                                                                                                                                                  • Setting NTFS compression on file: %s, xrefs: 0047141B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                                                                                                  • API String ID: 1452528299-3038984924
                                                                                                                                                                                  • Opcode ID: fe182551a98f743fcb6dc7018ea21a6c51c49eaeb083c5d16317d3ad1726425c
                                                                                                                                                                                  • Instruction ID: a30ff693f52cd42e459b797e94763e7277481e0955e0c4e592f957c66b82d28b
                                                                                                                                                                                  • Opcode Fuzzy Hash: fe182551a98f743fcb6dc7018ea21a6c51c49eaeb083c5d16317d3ad1726425c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41016730D0424866CB1497AD64422DDBBE89F4D315F94C1EFA458E7352DE790A0887AA
                                                                                                                                                                                  Function 0047944C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000008,?,?,00000001,00000000,00000002,00000000,00482671,?,?,?,?,?,0049A5C3,00000000,0049A5EB), ref: 00479455
                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671,?,?,?,?,?,0049A5C3,00000000), ref: 0047945B
                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0047947D
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0047948E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 215268677-0
                                                                                                                                                                                  • Opcode ID: 6d49464bdbc91184ad7f6ac62fff289a707b850c7d11bd8742fde9f2fb834cc3
                                                                                                                                                                                  • Instruction ID: 6505384fcc0360b3c734b71afb4e1a1a4ab6f9baee95e57f14d901b11eacad59
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d49464bdbc91184ad7f6ac62fff289a707b850c7d11bd8742fde9f2fb834cc3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 90F030716447006BD600EAB58D82E9B73DCEB44354F04883EBE98CB2C1D678DC08AB76
                                                                                                                                                                                  Function 00424690 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastActivePopup.USER32(?), ref: 0042469C
                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 004246AD
                                                                                                                                                                                  • IsWindowEnabled.USER32(?), ref: 004246B7
                                                                                                                                                                                  • SetForegroundWindow.USER32(?), ref: 004246C1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2280970139-0
                                                                                                                                                                                  • Opcode ID: 6de0995d0e447abcc63ecfbcb3df3be24c1d568dc5660fd48fcf8973f81aa8b9
                                                                                                                                                                                  • Instruction ID: 92c4e0b2622c21c1aafdf32b5a5e60d634be871c9bac48645995030a32fad986
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6de0995d0e447abcc63ecfbcb3df3be24c1d568dc5660fd48fcf8973f81aa8b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: BBE01261B0293157AA31FA7AA885A9F118CDD47BC43460277BC41F7297DB2CDC1045FD
                                                                                                                                                                                  Function 0040627C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GlobalHandle.KERNEL32 ref: 0040627F
                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00406286
                                                                                                                                                                                  • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040628B
                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00406291
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Global$AllocHandleLockUnlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2167344118-0
                                                                                                                                                                                  • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                                                                                  • Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
                                                                                                                                                                                  • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A
                                                                                                                                                                                  Function 0047B524 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047CE0D,?,00000000,00000000,00000001,00000000,0047B7C1,?,00000000), ref: 0047B785
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Failed to parse "reg" constant, xrefs: 0047B78C
                                                                                                                                                                                  • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047B5F9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close
                                                                                                                                                                                  • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                                                                                                  • API String ID: 3535843008-1938159461
                                                                                                                                                                                  • Opcode ID: 6611c1e9441ec69d347f76f9853cf70306d1c1791fe979a3a4115cedc0ac6e02
                                                                                                                                                                                  • Instruction ID: f1421b174eee6fc7f54e6f8e7a43c19df08b7389384ab18ee26f4796af10067b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6611c1e9441ec69d347f76f9853cf70306d1c1791fe979a3a4115cedc0ac6e02
                                                                                                                                                                                  • Instruction Fuzzy Hash: 89815175E00208AFCB10DFA5D481BDEBBF9EF48354F50816AE454A7391DB38AE05CB99
                                                                                                                                                                                  Function 004775F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,00477727,?,00000000,00477738,?,00000000,00477781), ref: 004776F8
                                                                                                                                                                                  • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00477727,?,00000000,00477738,?,00000000,00477781), ref: 0047770C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Extracting temporary file: , xrefs: 00477634
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileTime$Local
                                                                                                                                                                                  • String ID: Extracting temporary file:
                                                                                                                                                                                  • API String ID: 791338737-4171118009
                                                                                                                                                                                  • Opcode ID: 8d8d29b45fb9742880719863d89589a4356bfd1e7f13b2e05d84abbcd72ab195
                                                                                                                                                                                  • Instruction ID: 13e9f88ccb8282ea38195536ff5c63a907cbb836f3d7a61bc1ee4cb3f854d839
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d8d29b45fb9742880719863d89589a4356bfd1e7f13b2e05d84abbcd72ab195
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4041B774A04649AFCB01DF65CC91AEFBBB8EB09304F51847AF910A7391D678A901CB98
                                                                                                                                                                                  Function 0046D8CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Failed to proceed to next wizard page; showing wizard., xrefs: 0046D9F8
                                                                                                                                                                                  • Failed to proceed to next wizard page; aborting., xrefs: 0046D9E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                                                                                                  • API String ID: 0-1974262853
                                                                                                                                                                                  • Opcode ID: add31560b0341e522612951ad2314b824f5c06f277653e44a4d324fe3becfdea
                                                                                                                                                                                  • Instruction ID: 84e2974eb34e4f2dda2b8c8cb2eefec3d4715c8d151fead2dfc4afe0ae77ca03
                                                                                                                                                                                  • Opcode Fuzzy Hash: add31560b0341e522612951ad2314b824f5c06f277653e44a4d324fe3becfdea
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4D319E70F04204EFD711EB69D989BA977F5EB05304F6500BBE408AB3A2D7786E44CB1A
                                                                                                                                                                                  Function 0047A0E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,0047A1C6,?,?,00000001,00000000,00000000,0047A1E1), ref: 0047A1AF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • %s\%s_is1, xrefs: 0047A158
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047A13A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen
                                                                                                                                                                                  • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                  • API String ID: 47109696-1598650737
                                                                                                                                                                                  • Opcode ID: 91dc773cb254a962c58777c4e5504297312389ea1f328f3f9ad862e77fdf1cb2
                                                                                                                                                                                  • Instruction ID: 0d63d1a050f55a8da938840af3d9f6bfa62d29ba12cdbe4796c61ae60ad15f2e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 91dc773cb254a962c58777c4e5504297312389ea1f328f3f9ad862e77fdf1cb2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E216474B042449FEB01DFA9CC516EEBBF8EB89704F90847AE404E7381D7789E158B59
                                                                                                                                                                                  Function 0045080C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004508A1
                                                                                                                                                                                  • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004508D2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExecuteMessageSendShell
                                                                                                                                                                                  • String ID: open
                                                                                                                                                                                  • API String ID: 812272486-2758837156
                                                                                                                                                                                  • Opcode ID: adc24c5d3b5368d32e78575de7f2422fd367a658f9279fd22d1d28f183eb37d2
                                                                                                                                                                                  • Instruction ID: f57ce05e9eba324e121f638db0535f08eb0d68243c76b72727f5d658c61a4d86
                                                                                                                                                                                  • Opcode Fuzzy Hash: adc24c5d3b5368d32e78575de7f2422fd367a658f9279fd22d1d28f183eb37d2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C216075E00604BFDB00EFA9C981E9EB7F8EB44705F10817AB904F7292D7789A45CB88
                                                                                                                                                                                  Function 004559F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ShellExecuteEx.SHELL32(0000003C), ref: 00455A94
                                                                                                                                                                                  • GetLastError.KERNEL32(0000003C,00000000,00455ADD,?,?,?), ref: 00455AA5
                                                                                                                                                                                    • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                                                                                                  • String ID: <
                                                                                                                                                                                  • API String ID: 893404051-4251816714
                                                                                                                                                                                  • Opcode ID: d516e6598b8be20c8747e6ec9c3ac67b1ec18d9ef1beef7a885f0700c60fe9ff
                                                                                                                                                                                  • Instruction ID: 1dd1e4a4b05f96b02f6cdc30b2026c57645841094811f513de853399c4f5318c
                                                                                                                                                                                  • Opcode Fuzzy Hash: d516e6598b8be20c8747e6ec9c3ac67b1ec18d9ef1beef7a885f0700c60fe9ff
                                                                                                                                                                                  • Instruction Fuzzy Hash: 482151B0A00649AFDB00DF65D8926AE7BE8EF08345F50413BF844E7281E7789E49CB58
                                                                                                                                                                                  Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlEnterCriticalSection.KERNEL32(0049D420,00000000,)), ref: 004025C7
                                                                                                                                                                                  • RtlLeaveCriticalSection.KERNEL32(0049D420,0040263D), ref: 00402630
                                                                                                                                                                                    • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                    • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049D420,0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                    • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                    • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049D420,00401A89,00000000,00401A82,?,?,0040222E,0215D7B4,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                                                                                                  • String ID: )
                                                                                                                                                                                  • API String ID: 2227675388-1084416617
                                                                                                                                                                                  • Opcode ID: b1c34bbcfa7d0433af8c48dff581505e6c7889bd18d36f496ad8d1521465f649
                                                                                                                                                                                  • Instruction ID: 570f99ef1d3d95e4b4d80a2adc1962b98f522b57bc72750d6ce688ebb538822c
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1c34bbcfa7d0433af8c48dff581505e6c7889bd18d36f496ad8d1521465f649
                                                                                                                                                                                  • Instruction Fuzzy Hash: CE110131B042046FEB25AF799F1A62AAAD4D79575CB64087FF404F32D2D9BD9C02826C
                                                                                                                                                                                  Function 00498416 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00498451
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window
                                                                                                                                                                                  • String ID: /INITPROCWND=$%x $@
                                                                                                                                                                                  • API String ID: 2353593579-4169826103
                                                                                                                                                                                  • Opcode ID: 3a83e6e038dbafd0e3ea01eb6dd6426255c1a8b46f58718dc6178500fe069b44
                                                                                                                                                                                  • Instruction ID: a9318bdce5e824465d4436be78f64917a5ae5ef5b8220d929174e0d313b11457
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a83e6e038dbafd0e3ea01eb6dd6426255c1a8b46f58718dc6178500fe069b44
                                                                                                                                                                                  • Instruction Fuzzy Hash: EF119370A082059FDB01DBA9D851BAEBBE8EF49314F11847BE504E7292EA3C99058B58
                                                                                                                                                                                  Function 004478B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                    • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00447966
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: String$AllocByteCharFreeMultiWide
                                                                                                                                                                                  • String ID: NIL Interface Exception$Unknown Method
                                                                                                                                                                                  • API String ID: 3952431833-1023667238
                                                                                                                                                                                  • Opcode ID: ea7a85b9692c4460c5906b58765fb64bf6ee6b5f46e4d7caecedcff591b2af5e
                                                                                                                                                                                  • Instruction ID: 10ddd43a001eab7360299ad3f405319ab988bcee1c7d5b08318f9ee426dd8228
                                                                                                                                                                                  • Opcode Fuzzy Hash: ea7a85b9692c4460c5906b58765fb64bf6ee6b5f46e4d7caecedcff591b2af5e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9211E9716042089FEB10EFA58D51A6FBBBDEB09304F91403AF500F7281C7789D01C769
                                                                                                                                                                                  Function 00497C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00497D50,?,00497D44,00000000,00497D2B), ref: 00497CF6
                                                                                                                                                                                  • CloseHandle.KERNEL32(00497D90,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00497D50,?,00497D44,00000000), ref: 00497D0D
                                                                                                                                                                                    • Part of subcall function 00497BE0: GetLastError.KERNEL32(00000000,00497C78,?,?,?,?), ref: 00497C04
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCreateErrorHandleLastProcess
                                                                                                                                                                                  • String ID: D
                                                                                                                                                                                  • API String ID: 3798668922-2746444292
                                                                                                                                                                                  • Opcode ID: a880bfa9a77c93c91fa9ab75ae7060b7f78cb32e3cfe05dc5138aae6885ad4e0
                                                                                                                                                                                  • Instruction ID: a89f5070db7a5e6d261d16ca7c1b7ea99db6432e353ebe52f8e4aa70fd7af1a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: a880bfa9a77c93c91fa9ab75ae7060b7f78cb32e3cfe05dc5138aae6885ad4e0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1001A1B0608248AFDB00DBA5DC42FAF7BACDF09704F60013BF504E72C1E6785E008668
                                                                                                                                                                                  Function 004535CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,?,00000000,0045362D,?,?,-00000001,?), ref: 00453607
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000000,0045362D,?,?,-00000001,?), ref: 0045360F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesErrorFileLast
                                                                                                                                                                                  • String ID: @8H
                                                                                                                                                                                  • API String ID: 1799206407-3762495883
                                                                                                                                                                                  • Opcode ID: 65c44507f9335e4e2a077e4ee2190135d3d5d768f820153090acd923ffb3f295
                                                                                                                                                                                  • Instruction ID: 2a718f5fbeded0ca4f0ca1a684ecb9b724474f3cd93569f9f0dcaab09f3de9c7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 65c44507f9335e4e2a077e4ee2190135d3d5d768f820153090acd923ffb3f295
                                                                                                                                                                                  • Instruction Fuzzy Hash: 49F0F971A04204BBCB10DF7AAC4249EF7ECDB49362711457BFC14D3342E6784E088598
                                                                                                                                                                                  Function 004998EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0047E3D0: FreeLibrary.KERNEL32(00000000,00482E1B), ref: 0047E3E6
                                                                                                                                                                                    • Part of subcall function 0047E0A8: GetTickCount.KERNEL32 ref: 0047E0F2
                                                                                                                                                                                    • Part of subcall function 00457A90: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 00457AAF
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049A243), ref: 00499941
                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049A243), ref: 00499947
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Detected restart. Removing temporary directory., xrefs: 004998FB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                                                                                                  • String ID: Detected restart. Removing temporary directory.
                                                                                                                                                                                  • API String ID: 1717587489-3199836293
                                                                                                                                                                                  • Opcode ID: cf4eeb9d2890f889123e5d43942b6b9d65dcdfa64d28096ccc0edee5f77a06bc
                                                                                                                                                                                  • Instruction ID: 3ff60914118e938cb0b4ccf38de38d34f2fcffefe5e82e60aedbfe03ba6cc694
                                                                                                                                                                                  • Opcode Fuzzy Hash: cf4eeb9d2890f889123e5d43942b6b9d65dcdfa64d28096ccc0edee5f77a06bc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7DE0E5B12086446EDE1277AB6C1796B3F8CD74A76CB11447FF80491652E82D4C108A3D
                                                                                                                                                                                  Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000,0049A49E), ref: 0040334B
                                                                                                                                                                                  • GetCommandLineA.KERNEL32(00000000,0049A49E), ref: 00403356
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CommandHandleLineModule
                                                                                                                                                                                  • String ID: 7Y
                                                                                                                                                                                  • API String ID: 2123368496-1719787000
                                                                                                                                                                                  • Opcode ID: 4c2fff2b42c352919ceac1b40f57867521b0a3bfc58f22e25f1018fd897ed554
                                                                                                                                                                                  • Instruction ID: 62cda813ad8590bce7ae974c015f7103e9ff33e1479b40d519804c4e019ae8dd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c2fff2b42c352919ceac1b40f57867521b0a3bfc58f22e25f1018fd897ed554
                                                                                                                                                                                  • Instruction Fuzzy Hash: 26C00260D012059AE750AFB6A846B152A94A75934DF8044BFB104BA2E2DA7C82066BDE
                                                                                                                                                                                  Function 00455E10 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000000F.00000002.2286021077.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  • Associated: 0000000F.00000002.2285999035.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286082151.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286107310.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286138691.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  • Associated: 0000000F.00000002.2286164207.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_15_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastSleep
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1458359878-0
                                                                                                                                                                                  • Opcode ID: 162f6e589a9a3ecbf727cd3144cb36b5133ad9a431805f826c669b7668a8d72d
                                                                                                                                                                                  • Instruction ID: 0e0098d5c51f6c3332c54b3c49cab550602dc5c9badc8da443834b62d3c24bba
                                                                                                                                                                                  • Opcode Fuzzy Hash: 162f6e589a9a3ecbf727cd3144cb36b5133ad9a431805f826c669b7668a8d72d
                                                                                                                                                                                  • Instruction Fuzzy Hash: BCF02B32F00914E74F30A76AA88393F628CDA417A6720012BFC04DB303D53CDE0586A8

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:0.7%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                  Signature Coverage:6.3%
                                                                                                                                                                                  Total number of Nodes:605
                                                                                                                                                                                  Total number of Limit Nodes:59
                                                                                                                                                                                  execution_graph 84753 6c838040 84756 6c837ec4 84753->84756 84755 6c838051 84757 6c837ed0 __get_current_locale 84756->84757 84758 6c837ed7 84757->84758 84759 6c837ee4 84757->84759 84802 6c837e18 GetModuleHandleW 84758->84802 84784 6c820c43 84759->84784 84762 6c837edc 84762->84759 84805 6c837e57 GetModuleHandleW 84762->84805 84763 6c837eeb 84764 6c837fb4 84763->84764 84767 6c837f14 DecodePointer 84763->84767 84794 6c837fe0 84764->84794 84767->84764 84770 6c837f2f DecodePointer 84767->84770 84781 6c837f42 84770->84781 84771 6c837ff1 __get_current_locale 84771->84755 84773 6c837fd7 84799 6c837eac 84773->84799 84778 6c837f59 DecodePointer 84804 6c82ad23 EncodePointer 84778->84804 84781->84764 84781->84778 84782 6c837f68 DecodePointer DecodePointer 84781->84782 84783 6c847410 84781->84783 84803 6c82ad23 EncodePointer 84781->84803 84782->84781 84782->84783 84785 6c8474f1 84784->84785 84786 6c820c5c EnterCriticalSection 84784->84786 84809 6c82a9db 77 API calls 8 library calls 84785->84809 84786->84763 84788 6c8474f7 84788->84786 84789 6c847500 84788->84789 84810 6c86c0df 77 API calls 3 library calls 84789->84810 84795 6c837fe7 84794->84795 84796 6c837fc0 84794->84796 84811 6c820c67 LeaveCriticalSection 84795->84811 84796->84771 84798 6c820c67 LeaveCriticalSection 84796->84798 84798->84773 84800 6c837e57 ___crtCorExitProcess 2 API calls 84799->84800 84801 6c837eb9 ExitProcess 84800->84801 84802->84762 84803->84781 84804->84781 84806 6c837e80 84805->84806 84807 6c837e6b GetProcAddress 84805->84807 84806->84759 84807->84806 84808 6c837e7b 84807->84808 84808->84806 84809->84788 84811->84796 84812 ee1bc5 OpenSCManagerA 84813 ee1be2 mprError 84812->84813 84814 ee1bf3 OpenServiceA 84812->84814 84815 ee1c29 84814->84815 84816 ee1c10 CloseServiceHandle mprError 84814->84816 84829 ee1b20 FindWindowA PostMessageA mprSleep FindWindowA TerminateProcess 84815->84829 84818 ee1c33 ControlService 84819 ee1cae 84818->84819 84820 ee1c4e mprSleep QueryServiceStatus 84818->84820 84823 ee1cd9 CloseServiceHandle CloseServiceHandle 84819->84823 84824 ee1cb5 DeleteService 84819->84824 84821 ee1c94 84820->84821 84822 ee1c70 84820->84822 84821->84819 84826 ee1c9e GetLastError mprError 84821->84826 84822->84821 84825 ee1c79 mprSleep QueryServiceStatus 84822->84825 84824->84823 84827 ee1cc0 GetLastError 84824->84827 84825->84821 84825->84822 84826->84819 84827->84823 84828 ee1cc9 GetLastError mprError 84827->84828 84828->84823 84829->84818 84830 6c8ddc00 84831 6c8ddc20 84830->84831 84832 6c8ddc13 84830->84832 84834 6c8ddc37 84831->84834 84835 6c8ddc27 SetEvent 84831->84835 84832->84831 84833 6c8ddc19 EnterCriticalSection 84832->84833 84833->84831 84836 6c8ddc3e LeaveCriticalSection 84834->84836 84837 6c8ddc45 84834->84837 84835->84834 84836->84837 84838 6c8ddc7c 84837->84838 84839 6c8ddc68 Sleep 84837->84839 84839->84837 84839->84838 84840 6c8edca0 84853 6c8dd810 84840->84853 84842 6c8edcb2 84843 6c8edcbe RegOpenKeyExA 84842->84843 84844 6c8edcb6 84842->84844 84843->84844 84845 6c8edcda RegQueryValueExA 84843->84845 84846 6c8edd4e RegCloseKey 84845->84846 84847 6c8edcff 84845->84847 84849 6c8edd59 84846->84849 84848 6c8edd21 mprAllocFast 84847->84848 84850 6c8edd0d RegCloseKey 84847->84850 84848->84849 84851 6c8edd35 RegQueryValueExA 84848->84851 84851->84846 84852 6c8edd62 RegCloseKey 84851->84852 84854 6c8dd82e 84853->84854 84854->84854 84855 6c8dd85a strchr 84854->84855 84856 6c8dd879 84855->84856 84857 6c8dd955 84855->84857 84856->84857 84859 6c8dd88d scaselesscmp 84856->84859 84858 6c8f91ce 7 API calls 84857->84858 84860 6c8dd965 84858->84860 84861 6c8dd8a6 scaselesscmp 84859->84861 84863 6c8dd8fa 84859->84863 84860->84842 84862 6c8dd8bb scaselesscmp 84861->84862 84861->84863 84862->84863 84864 6c8dd8d0 scaselesscmp 84862->84864 84863->84863 84869 6c8f91ce 84863->84869 84864->84863 84865 6c8dd8e5 scaselesscmp 84864->84865 84865->84863 84867 6c8dd902 scaselesscmp 84865->84867 84867->84857 84867->84863 84868 6c8dd94e 84868->84842 84870 6c8f91d8 IsDebuggerPresent _crt_debugger_hook SetUnhandledExceptionFilter UnhandledExceptionFilter 84869->84870 84871 6c8f91d6 84869->84871 84873 6c8f9a0b GetCurrentProcess TerminateProcess 84870->84873 84874 6c8f9a03 _crt_debugger_hook 84870->84874 84871->84868 84873->84868 84874->84873 84875 6c8e49c0 84876 6c8e49ca 84875->84876 84877 6c8e4b3e RegisterEventSourceA 84876->84877 84878 6c8e4a74 fmt RegCreateKeyExA 84876->84878 84880 6c8e4b74 84877->84880 84881 6c8e4b54 ReportEventA DeregisterEventSource 84877->84881 84878->84877 84879 6c8e4acf RegSetValueExA 84878->84879 84882 6c8e4aef RegCloseKey 84879->84882 84883 6c8e4b11 RegSetValueExA 84879->84883 84884 6c8f91ce 7 API calls 84880->84884 84881->84880 84885 6c8f91ce 7 API calls 84882->84885 84883->84882 84886 6c8e4b33 RegCloseKey 84883->84886 84887 6c8e4b84 84884->84887 84888 6c8e4b0a 84885->84888 84886->84877 84889 6c8e96e0 84890 6c8e970a 84889->84890 84891 6c8e96e9 84889->84891 84892 6c8e973c 84890->84892 84893 6c8e9718 84890->84893 84891->84890 84894 6c8e96fe EnterCriticalSection 84891->84894 84896 6c8e974f LeaveCriticalSection 84892->84896 84898 6c8e9761 mprGetTicks 84892->84898 84895 6c8e972d LeaveCriticalSection 84893->84895 84912 6c8e991a 84893->84912 84894->84890 84896->84898 84899 6c8e980f 84898->84899 84900 6c8e97e0 84898->84900 84901 6c8e9819 mprTraceProc 84899->84901 84908 6c8e9827 84899->84908 84902 6c8e98ec 84900->84902 84903 6c8e97e9 84900->84903 84901->84908 84906 6c8e98f7 mprTraceProc 84902->84906 84907 6c8e9905 exit 84902->84907 84904 6c8e97f4 mprTraceProc 84903->84904 84905 6c8e9802 mprError 84903->84905 84904->84905 84905->84899 84906->84907 84909 6c8e990c 84907->84909 84910 6c8e983e mprCreateEvent 84908->84910 84911 6c8e9859 mprWakeDispatchers 84908->84911 84909->84912 84913 6c8e9913 LeaveCriticalSection 84909->84913 84910->84911 84914 6c8e986f 84911->84914 84916 6c8e988a 84911->84916 84913->84912 84915 6c8e9876 PostMessageA 84914->84915 84914->84916 84915->84916 84916->84909 84916->84912 84917 6c8e98ad EnterCriticalSection 84916->84917 84918 6c8e98c7 LeaveCriticalSection 84916->84918 84917->84916 84918->84916 84919 6c8ea3e0 84926 6c8ea3f0 84919->84926 84920 6c8ea42d mprGetCurrentThread 84922 6c8ea439 84920->84922 84923 6c8ea451 mprError 84920->84923 84921 6c8ea41a mprDoWaitRecall 84924 6c8ea43e mprCreateWindow 84922->84924 84925 6c8ea44a 84922->84925 84924->84925 84925->84923 84927 6c8ea469 mprYield SetTimer GetMessageA 84925->84927 84926->84920 84926->84921 84928 6c8ea48f mprResetYield mprShutdown 84927->84928 84929 6c8ea4ad mprResetYield TranslateMessage DispatchMessageA 84927->84929 84930 6c8f8a80 _time64 srand InitializeCriticalSectionAndSpinCount mprCreateMemService 84931 6c8f8aea gettimeofday 84930->84931 84932 6c8f8dd1 84930->84932 84933 6c8f8b29 84931->84933 84934 6c8f91ce 7 API calls 84932->84934 84967 6c8eb1e0 84933->84967 84935 6c8f8de4 84934->84935 84938 6c8eb1e0 12 API calls 84939 6c8f8b61 mprCreateHash 84938->84939 84941 6c8f8ba4 84939->84941 84942 6c8f8ba0 mprCreateList mprCreateHash mprCreateFileSystem 84939->84942 85024 6c8ee980 15 API calls 84941->85024 84987 6c8f5490 84942->84987 84949 6c8eb1e0 12 API calls 84950 6c8f8c43 8 API calls 84949->84950 84952 6c8f8cb8 84950->84952 84953 6c8eb1e0 12 API calls 84952->84953 84954 6c8f8ce6 84953->84954 84955 6c8f8d03 mprCreateCond mprCreateDispatcher mprCreateDispatcher 84954->84955 84958 6c8f8cf4 memcpy 84954->84958 84956 6c8f8d76 mprStartEventsThread 84955->84956 84957 6c8f8d45 84955->84957 84959 6c8f8d6e 84956->84959 84957->84959 84960 6c8f8d4a mprGetCurrentThread 84957->84960 84958->84955 84962 6c8f8d86 84959->84962 84963 6c8f8d81 mprStartGCService 84959->84963 84960->84959 84961 6c8f8d62 mprCreateWindow 84960->84961 84961->84959 84962->84932 84964 6c8f8db7 84962->84964 84963->84962 84965 6c8f91ce 7 API calls 84964->84965 84966 6c8f8dca 84965->84966 84972 6c8eb1f2 84967->84972 84968 6c8eb551 84969 6c8eb299 TryEnterCriticalSection 84969->84972 84971 6c8eb2fd LeaveCriticalSection 84971->84972 84972->84968 84972->84969 84972->84971 84979 6c8eb3da LeaveCriticalSection 84972->84979 84973 6c8eb473 84974 6c8eb480 84973->84974 84975 6c8eb479 EnterCriticalSection 84973->84975 84976 6c8eb49c 84974->84976 84977 6c8eb495 LeaveCriticalSection 84974->84977 84975->84974 84981 6c8eb4b4 84976->84981 85025 6c8ddb80 TryEnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 84976->85025 84977->84976 84978 6c8eb547 84978->84938 84979->84973 84979->84974 84981->84978 84982 6c8eb526 84981->84982 84983 6c8eb51f EnterCriticalSection 84981->84983 84984 6c8eb52d SetEvent 84982->84984 84985 6c8eb539 84982->84985 84983->84982 84984->84985 84985->84978 84986 6c8eb540 LeaveCriticalSection 84985->84986 84986->84978 84988 6c8f55a7 84987->84988 84989 6c8f54a1 84987->84989 84992 6c8eb1e0 12 API calls 84988->84992 84990 6c8f54fd mprAllocMem memcpy 84989->84990 84991 6c8f54a6 strstr 84989->84991 84994 6c8f551d mprIsPathAbs 84990->84994 84991->84990 84993 6c8f54bc 84991->84993 84995 6c8f55ae mprAllocMem 84992->84995 84996 6c8f54c8 sjoin 84993->84996 84997 6c8f54e1 mprMakeArgv 84993->84997 84998 6c8f5532 mprGetAppPath 84994->84998 84999 6c8f5541 mprGetAppPath 84994->84999 85001 6c8f55f6 mprGetPathBase mprTrimPathExt stitle stitle sfmt 84995->85001 84996->84996 84996->84997 84997->84994 84998->85001 85003 6c8f554c 84999->85003 85002 6c8eb1e0 12 API calls 85001->85002 85004 6c8f5636 mprCreateTimeService 85002->85004 85005 6c8eb1e0 12 API calls 85003->85005 85009 6c8edb60 mprCreateHash 85004->85009 85006 6c8f557a 85005->85006 85007 6c8f5581 85006->85007 85008 6c8f5591 memcpy 85006->85008 85007->85001 85008->85007 85010 6c8edb88 mprAddKey 85009->85010 85011 6c8edba0 85009->85011 85010->85010 85010->85011 85012 6c8edbc8 85011->85012 85013 6c8edbb0 mprAddKey 85011->85013 85014 6c8edbee 85012->85014 85015 6c8edbd6 mprAddKey 85012->85015 85013->85012 85013->85013 85016 6c8edc18 85014->85016 85017 6c8edc00 mprAddKey 85014->85017 85015->85014 85015->85015 85018 6c8edc3e 85016->85018 85019 6c8edc26 mprAddKey 85016->85019 85017->85016 85017->85017 85020 6c8edc68 85018->85020 85021 6c8edc50 mprAddKey 85018->85021 85019->85018 85019->85019 85022 6c8edc8e mprCreateSpinLock mprCreateSpinLock 85020->85022 85023 6c8edc76 mprAddKey 85020->85023 85021->85020 85021->85021 85022->84949 85023->85022 85023->85023 85024->84942 85025->84981 85026 6c86c789 85027 6c86c7ad 85026->85027 85028 6c86c799 85026->85028 85047 6c82067b TlsGetValue 85027->85047 85105 6c8207b5 77 API calls __ecvt 85028->85105 85032 6c86c79e 85106 6c89aeae 11 API calls __invalid_parameter_noinfo_noreturn 85032->85106 85036 6c86c810 85107 6c82014e 77 API calls 2 library calls 85036->85107 85040 6c86c816 85043 6c86c7a9 85040->85043 85108 6c82ab0f 77 API calls 3 library calls 85040->85108 85044 6c86c7d5 CreateThread 85044->85043 85046 6c86c808 GetLastError 85044->85046 85159 6c86c724 85044->85159 85046->85036 85048 6c820694 85047->85048 85049 6c82211c DecodePointer TlsSetValue 85047->85049 85050 6c821ee1 85048->85050 85053 6c821eea 85050->85053 85052 6c821f04 85052->85036 85056 6c8206c7 85052->85056 85053->85052 85054 6c84f1d8 Sleep 85053->85054 85109 6c820b4e 85053->85109 85055 6c821f0a 85054->85055 85055->85052 85055->85053 85120 6c820698 GetLastError 85056->85120 85058 6c8206cf 85059 6c8206d9 85058->85059 85138 6c86c0df 77 API calls 3 library calls 85058->85138 85092 6c82215f 85059->85092 85140 6c820c80 85092->85140 85094 6c82216b GetModuleHandleW 85095 6c820c43 __get_current_locale 75 API calls 85094->85095 85096 6c8221a9 InterlockedIncrement 85095->85096 85141 6c822228 85096->85141 85099 6c820c43 __get_current_locale 75 API calls 85100 6c8221ca 85099->85100 85144 6c821f13 InterlockedIncrement 85100->85144 85102 6c8221e8 85154 6c822156 85102->85154 85104 6c8221f5 __get_current_locale 85104->85044 85105->85032 85106->85043 85107->85040 85108->85043 85110 6c820b5a 85109->85110 85116 6c820b6a 85109->85116 85111 6c84f3df 85110->85111 85110->85116 85118 6c8207b5 77 API calls __ecvt 85111->85118 85113 6c820b84 HeapAlloc 85114 6c820b9b 85113->85114 85113->85116 85114->85053 85115 6c84f3e4 85115->85053 85116->85113 85116->85114 85119 6c86b7af DecodePointer 85116->85119 85118->85115 85119->85116 85121 6c82067b __threadstartex@4 3 API calls 85120->85121 85122 6c8206af 85121->85122 85123 6c8206bb SetLastError 85122->85123 85124 6c821ee1 __get_current_locale 73 API calls 85122->85124 85123->85058 85125 6c8475bc 85124->85125 85125->85123 85126 6c8475c8 DecodePointer 85125->85126 85127 6c8475dd 85126->85127 85128 6c8475e1 85127->85128 85129 6c8475fc 85127->85129 85130 6c82215f __ecvt 73 API calls 85128->85130 85139 6c82014e 77 API calls 2 library calls 85129->85139 85132 6c8475e9 GetCurrentThreadId 85130->85132 85132->85123 85133 6c847602 85133->85123 85139->85133 85140->85094 85157 6c820c67 LeaveCriticalSection 85141->85157 85143 6c8221c3 85143->85099 85145 6c822ac3 InterlockedIncrement 85144->85145 85146 6c821f35 85144->85146 85147 6c822acb InterlockedIncrement 85145->85147 85146->85147 85148 6c822ad3 InterlockedIncrement 85146->85148 85149 6c822abb InterlockedIncrement 85146->85149 85150 6c821f5f 85146->85150 85147->85148 85148->85150 85149->85145 85151 6c85072d InterlockedIncrement 85150->85151 85152 6c821f84 InterlockedIncrement 85150->85152 85153 6c821f9d InterlockedIncrement 85150->85153 85151->85150 85152->85102 85153->85150 85158 6c820c67 LeaveCriticalSection 85154->85158 85156 6c82215d 85156->85104 85157->85143 85158->85156 85160 6c82067b __threadstartex@4 3 API calls 85159->85160 85161 6c86c72f __threadstartex@4 85160->85161 85174 6c86c832 TlsGetValue 85161->85174 85164 6c86c73e __threadstartex@4 85228 6c86c852 DecodePointer 85164->85228 85165 6c86c768 85176 6c822423 85165->85176 85167 6c86c783 85220 6c86c6c3 85167->85220 85171 6c86c74d 85172 6c86c751 GetLastError ExitThread 85171->85172 85173 6c86c75e GetCurrentThreadId 85171->85173 85173->85167 85175 6c86c73a 85174->85175 85175->85164 85175->85165 85177 6c82242f __get_current_locale 85176->85177 85178 6c8224fe __get_current_locale 85177->85178 85179 6c847614 85177->85179 85180 6c822445 85177->85180 85178->85167 85233 6c82014e 77 API calls 2 library calls 85179->85233 85182 6c822450 85180->85182 85183 6c84761a 85180->85183 85185 6c847626 85182->85185 85186 6c82245b 85182->85186 85234 6c82014e 77 API calls 2 library calls 85183->85234 85235 6c82014e 77 API calls 2 library calls 85185->85235 85188 6c822466 85186->85188 85189 6c847632 85186->85189 85191 6c84763e 85188->85191 85192 6c822471 85188->85192 85236 6c82014e 77 API calls 2 library calls 85189->85236 85237 6c82014e 77 API calls 2 library calls 85191->85237 85193 6c84764a 85192->85193 85194 6c82247c 85192->85194 85238 6c82014e 77 API calls 2 library calls 85193->85238 85197 6c822487 85194->85197 85198 6c847656 85194->85198 85199 6c822495 85197->85199 85200 6c847662 85197->85200 85239 6c82014e 77 API calls 2 library calls 85198->85239 85202 6c820c43 __get_current_locale 77 API calls 85199->85202 85240 6c82014e 77 API calls 2 library calls 85200->85240 85204 6c82249c 85202->85204 85205 6c8224b7 85204->85205 85206 6c8224a8 InterlockedDecrement 85204->85206 85229 6c822530 LeaveCriticalSection __wdupenv_s 85205->85229 85206->85205 85207 6c82d0ea 85206->85207 85207->85205 85241 6c82014e 77 API calls 2 library calls 85207->85241 85209 6c8224c3 85211 6c820c43 __get_current_locale 77 API calls 85209->85211 85212 6c8224ca 85211->85212 85219 6c8224ec 85212->85219 85230 6c822337 8 API calls 85212->85230 85215 6c8224f8 85232 6c82014e 77 API calls 2 library calls 85215->85232 85217 6c8224df 85217->85219 85242 6c82a415 77 API calls 4 library calls 85217->85242 85231 6c82241a LeaveCriticalSection __wdupenv_s 85219->85231 85221 6c86c6cf __get_current_locale 85220->85221 85222 6c8206c7 _rand 77 API calls 85221->85222 85223 6c86c6d4 85222->85223 85243 6c86c6a4 85223->85243 85225 6c86c6e4 85226 6c89b7c9 __XcptFilter 77 API calls 85225->85226 85227 6c86c6f5 85226->85227 85228->85171 85229->85209 85230->85217 85231->85215 85232->85178 85233->85183 85234->85185 85235->85189 85236->85191 85237->85193 85238->85198 85239->85200 85240->85207 85241->85205 85242->85219 85244 6c820698 __ecvt 77 API calls 85243->85244 85245 6c86c6ae 85244->85245 85246 6c86c6b9 ExitThread 85245->85246 85249 6c822539 82 API calls __threadstartex@4 85245->85249 85248 6c86c6b8 85248->85246 85249->85248 85250 6c8f0100 GetSystemInfo 85251 6c8f0134 VirtualAlloc 85250->85251 85253 6c8f016f 85251->85253 85254 6c8f0177 memset mprVirtAlloc 85251->85254 85255 6c8f01d9 getenv scmp 85254->85255 85256 6c8f01d0 85254->85256 85257 6c8f02e4 85255->85257 85262 6c8d9c60 InitializeCriticalSectionAndSpinCount 85257->85262 85259 6c8f02fb 85263 6c8ddb80 TryEnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 85259->85263 85261 6c8f0307 mprCreateCond mprCreateList mprAddItem 85262->85259 85263->85261 85264 6c8f3b80 85265 6c8f3c2e GetModuleFileNameA 85264->85265 85270 6c8f3ba3 85264->85270 85266 6c8f3c59 mprGetAbsPath sclone 85265->85266 85267 6c8f3c44 85265->85267 85269 6c8f91ce 7 API calls 85266->85269 85268 6c8f91ce 7 API calls 85267->85268 85271 6c8f3c52 85268->85271 85272 6c8f3c8a 85269->85272 85273 6c8eb1e0 12 API calls 85270->85273 85274 6c8f3bdb 85273->85274 85275 6c8f3bfe 85274->85275 85276 6c8f3be2 85274->85276 85277 6c8f3c05 memcpy 85275->85277 85278 6c8f3c14 85275->85278 85279 6c8f91ce 7 API calls 85276->85279 85277->85278 85280 6c8f91ce 7 API calls 85278->85280 85281 6c8f3bf7 85279->85281 85282 6c8f3c27 85280->85282 85283 6c8e9998 85284 6c8e99a0 85283->85284 85285 6c8e99cd mprWaitForCond mprGetTicks 85284->85285 85286 6c8e99b3 PostMessageA 85284->85286 85287 6c8e9a2f 85284->85287 85285->85284 85286->85285 85288 6c8e9ab3 85287->85288 85289 6c8e9a56 85287->85289 85300 6c8e9a7a 85287->85300 85290 6c8e9adf 85288->85290 85296 6c8e9ad2 EnterCriticalSection 85288->85296 85292 6c8e9a5c mprTraceProc 85289->85292 85293 6c8e9a6b mprCancelShutdown 85289->85293 85294 6c8e9b0c 85290->85294 85295 6c8e9ae8 85290->85295 85291 6c8e9aa0 exit 85291->85288 85292->85293 85298 6c8e9b29 LeaveCriticalSection 85294->85298 85304 6c8e9b38 85294->85304 85297 6c8e9b02 85295->85297 85301 6c8e9af5 LeaveCriticalSection 85295->85301 85296->85290 85298->85304 85299 6c8e9a99 exit 85299->85291 85300->85291 85300->85299 85301->85297 85302 6c8e9bb4 mprStopWorkers mprClearList mprStopModuleService mprDestroyEventService 85303 6c8e9be0 mprGC 85302->85303 85305 6c8e9bee 85303->85305 85306 6c8e9bf4 85303->85306 85304->85302 85307 6c8e9b57 EnterCriticalSection 85304->85307 85308 6c8e9baa 85304->85308 85310 6c8e9b77 LeaveCriticalSection 85304->85310 85305->85303 85305->85306 85309 6c8e9c28 mprStopModuleService mprStopGCService WSACleanup 85306->85309 85312 6c8e9c1d mprTraceProc 85306->85312 85307->85304 85308->85302 85311 6c8e9bb1 LeaveCriticalSection 85308->85311 85313 6c8e9c45 mprError 85309->85313 85314 6c8e9c52 85309->85314 85310->85304 85311->85302 85312->85309 85313->85314 85315 ee2874 85336 ee2df0 85315->85336 85317 ee2880 GetStartupInfoW 85318 ee2897 HeapSetInformation 85317->85318 85320 ee28a2 85317->85320 85318->85320 85319 ee28c7 85322 ee28e8 _amsg_exit 85319->85322 85323 ee28f2 85319->85323 85320->85319 85321 ee28cf Sleep 85320->85321 85321->85320 85324 ee2927 85322->85324 85323->85324 85325 ee28fb _initterm_e 85323->85325 85326 ee2936 _initterm 85324->85326 85327 ee2951 85324->85327 85325->85324 85329 ee2916 __onexit 85325->85329 85326->85327 85328 ee2956 InterlockedExchange 85327->85328 85331 ee295e __IsNonwritableInCurrentImage 85327->85331 85328->85331 85330 ee29e7 _ismbblead 85330->85331 85331->85330 85333 ee2a2d 85331->85333 85334 ee29d1 exit 85331->85334 85337 ee2350 6 API calls 85331->85337 85333->85329 85335 ee2a35 _cexit 85333->85335 85334->85331 85335->85329 85336->85317 85357 ee1a80 sclone sclone mprGetAppDir sjoin 85337->85357 85339 ee23c6 mprSetLogHandler mprSetWinMsgCallback 85340 ee2752 stitle sfmt mprStart 85339->85340 85355 ee23f0 85339->85355 85341 ee27cf 85340->85341 85342 ee277b mprGetAppName mprError mprDestroy 85340->85342 85343 ee27f4 85341->85343 85344 ee27d3 85341->85344 85342->85331 85348 ee2815 mprDestroy 85343->85348 85359 ee21e0 86 API calls 85343->85359 85358 ee21e0 86 API calls 85344->85358 85347 ee27dd mprDestroy 85347->85331 85348->85331 85349 ee27a2 mprGetAppName mprEprintf 85349->85331 85350 ee2559 atoi 85350->85355 85351 ee25b4 sclone 85351->85355 85352 ee2605 sclone mprStartLogging mprSetCmdlineLogging 85352->85355 85353 ee2671 sclone 85353->85355 85354 ee26c2 sclone 85354->85355 85355->85340 85355->85349 85355->85350 85355->85351 85355->85352 85355->85353 85355->85354 85356 ee2739 mprSetLogLevel 85355->85356 85356->85355 85357->85339 85358->85347 85359->85343 85360 6c8d2f30 85361 6c8d2f8e 85360->85361 85363 6c8d2f38 85360->85363 85362 6c8d2f92 CloseHandle 85361->85362 85361->85363 85364 6c8d8770 85365 6c8d88b9 85364->85365 85369 6c8d877d 85364->85369 85366 6c8d88cf 85365->85366 85367 6c8d88c8 CloseHandle 85365->85367 85365->85369 85368 6c8d88d6 DestroyWindow 85366->85368 85366->85369 85367->85366 85370 6c8ea890 85372 6c8ea8a7 85370->85372 85371 6c8ea8f5 VirtualAlloc 85375 6c8ea925 85371->85375 85377 6c8ea92d 85371->85377 85372->85371 85378 6c8ea1d0 21 API calls 85372->85378 85379 6c8ea1d0 21 API calls 85375->85379 85378->85371 85379->85377 85380 6c8e1330 85381 6c8e134d _beginthreadex 85380->85381 85382 6c8e1339 85380->85382 85383 6c8e136b 85381->85383 85384 6c8e1384 85381->85384 85382->85381 85387 6c8e1346 EnterCriticalSection 85382->85387 85388 6c8e137d 85383->85388 85389 6c8e1376 LeaveCriticalSection 85383->85389 85385 6c8e139b 85384->85385 85386 6c8e1394 LeaveCriticalSection 85384->85386 85386->85385 85387->85381 85389->85388 85390 6c8e9d50 85391 6c8e9d8b CreateWindowExA 85390->85391 85392 6c8e9d67 mprCreateWindowClass 85390->85392 85394 6c8e9dc8 85391->85394 85395 6c8e9db9 mprError 85391->85395 85392->85391 85393 6c8e9d79 mprError 85392->85393 85395->85394 85396 6c8220fc 85397 6c82bd90 85396->85397 85398 6c82210b 85396->85398 85456 6c82bd9a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 85397->85456 85403 6c82203f 85398->85403 85401 6c822116 85402 6c82bd95 85404 6c82204b __get_current_locale 85403->85404 85405 6c822057 85404->85405 85406 6c82b235 85404->85406 85408 6c822061 85405->85408 85409 6c838065 85405->85409 85457 6c82ad05 HeapCreate 85406->85457 85411 6c8225a7 85408->85411 85412 6c82206a 85408->85412 85414 6c838082 85409->85414 85415 6c847448 _cexit 85409->85415 85426 6c83809c 85409->85426 85410 6c82b23a 85413 6c82b242 85410->85413 85410->85426 85427 6c8220d1 __get_current_locale 85411->85427 85458 6c822539 82 API calls __threadstartex@4 85411->85458 85416 6c82067b __threadstartex@4 3 API calls 85412->85416 85459 6c82b398 97 API calls 3 library calls 85413->85459 85465 6c837ffb _initterm _initterm 85414->85465 85424 6c847452 85415->85424 85420 6c82206f TlsGetValue 85416->85420 85425 6c822083 85420->85425 85422 6c82b247 85422->85426 85460 6c82ad86 84 API calls __get_current_locale 85422->85460 85423 6c838087 85423->85424 85428 6c838090 85423->85428 85470 6c896ca8 78 API calls __wstat64 85424->85470 85425->85427 85435 6c821ee1 __get_current_locale 77 API calls 85425->85435 85467 6c896ca8 78 API calls __wstat64 85426->85467 85468 6c8965ea HeapDestroy 85426->85468 85469 6c86c4bd 81 API calls __wstat64 85426->85469 85427->85401 85466 6c8380a1 81 API calls 85428->85466 85430 6c847457 85471 6c86c4bd 81 API calls __wstat64 85430->85471 85439 6c822093 85435->85439 85437 6c82b254 85437->85426 85461 6c82aeae 82 API calls 2 library calls 85437->85461 85438 6c84745c 85472 6c8965ea HeapDestroy 85438->85472 85439->85426 85441 6c82209f DecodePointer 85439->85441 85445 6c8220b4 85441->85445 85443 6c847461 85473 6c82014e 77 API calls 2 library calls 85443->85473 85444 6c82b261 GetCommandLineA GetCommandLineW 85462 6c82b22a _setmbcp 85444->85462 85445->85443 85448 6c8220bc 85445->85448 85447 6c82b281 85463 6c82b2a9 77 API calls 5 library calls 85447->85463 85451 6c82215f __ecvt 77 API calls 85448->85451 85453 6c8220c3 GetCurrentThreadId 85451->85453 85452 6c82b286 85452->85426 85464 6c82b976 89 API calls shared_ptr 85452->85464 85453->85427 85455 6c82b295 85455->85409 85455->85426 85456->85402 85457->85410 85458->85427 85459->85422 85460->85437 85461->85444 85462->85447 85463->85452 85464->85455 85465->85423 85466->85426 85467->85426 85468->85426 85469->85426 85470->85430 85471->85438 85472->85443 85473->85426 85474 6c8f4cd0 85475 6c8f4cf5 85474->85475 85476 6c8eb1e0 12 API calls 85475->85476 85477 6c8f4d07 85476->85477 85478 6c8f4d21 memset 85477->85478 85479 6c8f4d0e 85477->85479 85478->85479 85480 6c8f4d69 85479->85480 85500 6c8f29e0 85479->85500 85481 6c8f91ce 7 API calls 85480->85481 85483 6c8f4d7a 85481->85483 85484 6c8f4d94 85484->85480 85485 6c8f4d9a mprCreateSpinLock 85484->85485 85485->85480 85486 6c8f4da6 gethostname 85485->85486 85487 6c8f4dcf scopy mprError 85486->85487 85488 6c8f4df0 strchr scopy 85486->85488 85487->85488 85489 6c8f4e1e scopy 85488->85489 85490 6c8f4e3a 85488->85490 85491 6c8f4e3d mprSetServerName mprSetDomainName mprSetHostName mprCreateList socket 85489->85491 85490->85491 85492 6c8f4ea8 85491->85492 85493 6c8f4e82 closesocket 85491->85493 85495 6c8f4eb4 mprTraceProc 85492->85495 85496 6c8f4ec3 85492->85496 85494 6c8f91ce 7 API calls 85493->85494 85497 6c8f4ea1 85494->85497 85495->85496 85498 6c8f91ce 7 API calls 85496->85498 85499 6c8f4ed4 85498->85499 85501 6c8f29f1 85500->85501 85502 6c8eb1e0 12 API calls 85501->85502 85503 6c8f2a03 85502->85503 85504 6c8f2a1d memset 85503->85504 85505 6c8f2a0a 85503->85505 85504->85505 85506 6c8f2a65 85505->85506 85507 6c8eb1e0 12 API calls 85505->85507 85506->85484 85508 6c8f2a70 85507->85508 85508->85484

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00EE1BC5 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 100serviceCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00EE1BD6
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service manager), ref: 00EE1BE7
                                                                                                                                                                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00EE1C04
                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00EE1C11
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service), ref: 00EE1C1C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot open service manager, xrefs: 00EE1BE2
                                                                                                                                                                                  • Cannot delete service: 0x%x, xrefs: 00EE1CCC
                                                                                                                                                                                  • Cannot open service, xrefs: 00EE1C17
                                                                                                                                                                                  • Cannot stop service: 0x%x, xrefs: 00EE1CA1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorOpenService$CloseHandleManager
                                                                                                                                                                                  • String ID: Cannot delete service: 0x%x$Cannot open service$Cannot open service manager$Cannot stop service: 0x%x
                                                                                                                                                                                  • API String ID: 261947648-2492110048
                                                                                                                                                                                  • Opcode ID: 465bd63850cea8acf395c3d87ac619f5714004f08f1d4a12d127464db47fcd6a
                                                                                                                                                                                  • Instruction ID: 4543ec0969f473c3cff029cbccf69f0b40c2964f1efa798aab0d42845ef568c7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 465bd63850cea8acf395c3d87ac619f5714004f08f1d4a12d127464db47fcd6a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4821FCF17C03DDBBD63067735C86F6A33589B1175AF142060FA05BA2C1DBB6998885B3
                                                                                                                                                                                  Function 6C8D8770 Relevance: 3.1, APIs: 2, Instructions: 136COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseDestroyHandleWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3419536441-0
                                                                                                                                                                                  • Opcode ID: 31fbb1688262f9a310b3cd2e86e0a836a7cf36cf50f2b34b6229331d9784b8a7
                                                                                                                                                                                  • Instruction ID: 5e6d69a2f2def0eef1d4c4ec8249f76d95276d805b94f74fdff0c349e5c6b8f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 31fbb1688262f9a310b3cd2e86e0a836a7cf36cf50f2b34b6229331d9784b8a7
                                                                                                                                                                                  • Instruction Fuzzy Hash: EC41C5397052909FDB20DB24C495EEABBB1AF47308B2758DED8958B712C732B44BC790
                                                                                                                                                                                  Function 6C8F8A80 Relevance: 54.5, APIs: 28, Strings: 3, Instructions: 249servicethreadtimeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 6c8f8a80-6c8f8ae4 _time64 srand InitializeCriticalSectionAndSpinCount mprCreateMemService 1 6c8f8aea-6c8f8b45 gettimeofday call 6c8f92c0 call 6c8eb1e0 0->1 2 6c8f8dd1-6c8f8dea call 6c8f91ce 0->2 9 6c8f8b4b-6c8f8b50 1->9 10 6c8f8b47-6c8f8b49 1->10 11 6c8f8b54-6c8f8b66 call 6c8eb1e0 9->11 12 6c8f8b52 9->12 10->11 15 6c8f8b6c-6c8f8b71 11->15 16 6c8f8b68-6c8f8b6a 11->16 12->11 17 6c8f8b7e-6c8f8b9e mprCreateHash 15->17 18 6c8f8b73-6c8f8b7b 15->18 16->17 19 6c8f8ba4-6c8f8baa call 6c8ee980 17->19 20 6c8f8ba0-6c8f8ba2 17->20 18->17 21 6c8f8bad-6c8f8c0e mprCreateList mprCreateHash mprCreateFileSystem call 6c8f5490 mprCreateTimeService call 6c8edb60 19->21 20->21 27 6c8f8c13-6c8f8c48 mprCreateSpinLock * 2 call 6c8eb1e0 21->27 30 6c8f8c4e 27->30 31 6c8f8c4a-6c8f8c4c 27->31 32 6c8f8c51-6c8f8cb6 mprCreateThreadService mprCreateModuleService mprCreateEventService mprCreateCmdService mprCreateWorkerService mprCreateWaitService mprCreateSocketService getenv 30->32 31->32 33 6c8f8cbd-6c8f8cbf 32->33 34 6c8f8cb8 32->34 35 6c8f8cc2-6c8f8cc7 33->35 34->33 35->35 36 6c8f8cc9-6c8f8cd3 35->36 37 6c8f8cda-6c8f8ceb call 6c8eb1e0 36->37 38 6c8f8cd5 36->38 41 6c8f8ced-6c8f8cf2 37->41 42 6c8f8d03-6c8f8d43 mprCreateCond mprCreateDispatcher * 2 37->42 38->37 41->42 45 6c8f8cf4-6c8f8cff memcpy 41->45 43 6c8f8d76 mprStartEventsThread 42->43 44 6c8f8d45-6c8f8d48 42->44 46 6c8f8d7b-6c8f8d7f 43->46 44->46 47 6c8f8d4a-6c8f8d60 mprGetCurrentThread 44->47 45->42 50 6c8f8d86-6c8f8da7 46->50 51 6c8f8d81 mprStartGCService 46->51 48 6c8f8d6e-6c8f8d74 47->48 49 6c8f8d62-6c8f8d6b mprCreateWindow 47->49 48->46 49->48 50->2 52 6c8f8da9-6c8f8db5 50->52 51->50 52->2 53 6c8f8db7-6c8f8dd0 call 6c8f91ce 52->53
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _time64.MSVCR100 ref: 6C8F8AB0
                                                                                                                                                                                  • srand.MSVCR100 ref: 6C8F8AB7
                                                                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(6C9038C4,000005DC), ref: 6C8F8ACC
                                                                                                                                                                                  • mprCreateMemService.LIBMPR(6C8D1560,?), ref: 6C8F8AD8
                                                                                                                                                                                    • Part of subcall function 6C8F0100: GetSystemInfo.KERNELBASE(?), ref: 6C8F0114
                                                                                                                                                                                    • Part of subcall function 6C8F0100: VirtualAlloc.KERNELBASE(00000000,00000FFF,00003000,00000004), ref: 6C8F015D
                                                                                                                                                                                  • gettimeofday.LIBMPR(?,00000000), ref: 6C8F8AF7
                                                                                                                                                                                    • Part of subcall function 6C8D9420: GetSystemTimeAsFileTime.KERNEL32(?), ref: 6C8D944E
                                                                                                                                                                                    • Part of subcall function 6C8D9420: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8D9467
                                                                                                                                                                                    • Part of subcall function 6C8D9420: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8D9483
                                                                                                                                                                                    • Part of subcall function 6C8D9420: GetTimeZoneInformation.KERNEL32(?), ref: 6C8D94A3
                                                                                                                                                                                    • Part of subcall function 6C8EB1E0: TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C8D102F,?), ref: 6C8EB2B0
                                                                                                                                                                                    • Part of subcall function 6C8EB1E0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6C8D102F,?), ref: 6C8EB302
                                                                                                                                                                                  • mprCreateHash.LIBMPR(00000043,00000010,?,00000000,00000000), ref: 6C8F8B92
                                                                                                                                                                                  • mprCreateList.LIBMPR(00000000,00000020,?,?,?,?,00000000,00000000), ref: 6C8F8BB3
                                                                                                                                                                                  • mprCreateHash.LIBMPR(00000000,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6C8F8BC0
                                                                                                                                                                                  • mprCreateFileSystem.LIBMPR(6C8FBC50,00000000,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6C8F8BD7
                                                                                                                                                                                  • mprCreateTimeService.LIBMPR(00000202,?), ref: 6C8F8C08
                                                                                                                                                                                  • mprCreateSpinLock.LIBMPR(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C13
                                                                                                                                                                                  • mprCreateSpinLock.LIBMPR(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C1E
                                                                                                                                                                                  • mprCreateThreadService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C57
                                                                                                                                                                                  • mprCreateModuleService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C62
                                                                                                                                                                                  • mprCreateEventService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C6D
                                                                                                                                                                                  • mprCreateCmdService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C78
                                                                                                                                                                                  • mprCreateWorkerService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C83
                                                                                                                                                                                  • mprCreateWaitService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C8E
                                                                                                                                                                                  • mprCreateSocketService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8C99
                                                                                                                                                                                  • getenv.MSVCR100 ref: 6C8F8CA9
                                                                                                                                                                                  • memcpy.MSVCR100(00000008,00000000,00000001), ref: 6C8F8CF7
                                                                                                                                                                                  • mprCreateCond.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8F8D06
                                                                                                                                                                                  • mprCreateDispatcher.LIBMPR(main,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C8F8D18
                                                                                                                                                                                  • mprCreateDispatcher.LIBMPR(nonblock,00000000,main,00000000), ref: 6C8F8D2A
                                                                                                                                                                                  • mprGetCurrentThread.LIBMPR ref: 6C8F8D55
                                                                                                                                                                                  • mprCreateWindow.LIBMPR(00000000), ref: 6C8F8D63
                                                                                                                                                                                  • mprStartEventsThread.LIBMPR ref: 6C8F8D76
                                                                                                                                                                                    • Part of subcall function 6C8EB570: mprCreateThread.LIBMPR(events,6C8EAF50,00000000,00000000), ref: 6C8EB57F
                                                                                                                                                                                  • mprStartGCService.LIBMPR ref: 6C8F8D81
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Create$Service$ThreadTime$CriticalSectionSpinSystem$DispatcherFileHashLockStartUnothrow_t@std@@@__ehfuncinfo$??2@$AllocCondCountCurrentEnterEventEventsInfoInformationInitializeLeaveListModuleSocketVirtualWaitWindowWorkerZone_time64getenvgettimeofdaymemcpysrand
                                                                                                                                                                                  • String ID: PATH$main$nonblock
                                                                                                                                                                                  • API String ID: 2973349961-3940408414
                                                                                                                                                                                  • Opcode ID: 2b32ea63ae7da7679a700cb8ac74dc2bcdd5d0ad6566de954f9d73a3c24eed33
                                                                                                                                                                                  • Instruction ID: 4735b322f2ed20d859143ea145b8821552d47b163817ea8973eac76fdc26305c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b32ea63ae7da7679a700cb8ac74dc2bcdd5d0ad6566de954f9d73a3c24eed33
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B91F4B1A043049FD7309F799A45B9BB6E0BF86388F154D3ED4A9C7B01E734A4498B91
                                                                                                                                                                                  Function 6C8E9920 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 246windowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 56 6c8e9920-6c8e992a 57 6c8e994f-6c8e996b 56->57 58 6c8e992c-6c8e994c mprShutdown 56->58 59 6c8e998c-6c8e9990 57->59 60 6c8e996d-6c8e998a mprGetTicks 57->60 58->57 61 6c8e9996 59->61 62 6c8e9a37-6c8e9a46 59->62 60->59 63 6c8e99a0-6c8e99aa 61->63 67 6c8e9a48-6c8e9a54 62->67 68 6c8e9ab3-6c8e9abb 62->68 65 6c8e99ac-6c8e99b1 63->65 66 6c8e99cd-6c8e99ff mprWaitForCond mprGetTicks 63->66 65->66 69 6c8e99b3-6c8e99c7 PostMessageA 65->69 70 6c8e9a0b-6c8e9a17 66->70 71 6c8e9a01 66->71 72 6c8e9a7a-6c8e9a7e 67->72 73 6c8e9a56-6c8e9a5a 67->73 74 6c8e9adf-6c8e9ae6 68->74 75 6c8e9abd-6c8e9ac4 68->75 69->66 78 6c8e9a19 70->78 79 6c8e9a31 70->79 76 6c8e9a07-6c8e9a09 71->76 77 6c8e9a03-6c8e9a05 71->77 80 6c8e9aa0-6c8e9aad exit 72->80 81 6c8e9a80 72->81 84 6c8e9a5c-6c8e9a68 mprTraceProc 73->84 85 6c8e9a6b-6c8e9a79 mprCancelShutdown 73->85 87 6c8e9b0c-6c8e9b1e 74->87 88 6c8e9ae8-6c8e9aea 74->88 75->74 86 6c8e9ac6-6c8e9ad0 75->86 76->70 77->70 77->76 82 6c8e9a1f-6c8e9a29 78->82 83 6c8e9a1b-6c8e9a1d 78->83 79->62 80->68 91 6c8e9a88-6c8e9a92 81->91 92 6c8e9a82-6c8e9a86 81->92 82->63 93 6c8e9a2f 82->93 83->79 83->82 84->85 86->74 94 6c8e9ad2-6c8e9ad9 EnterCriticalSection 86->94 89 6c8e9b38-6c8e9b3a 87->89 90 6c8e9b20-6c8e9b27 87->90 95 6c8e9aec-6c8e9af3 88->95 96 6c8e9b02-6c8e9b0b 88->96 98 6c8e9b40-6c8e9b48 89->98 90->89 97 6c8e9b29-6c8e9b32 LeaveCriticalSection 90->97 99 6c8e9a99-6c8e9a9a exit 91->99 100 6c8e9a94 91->100 92->80 92->91 93->62 94->74 95->96 101 6c8e9af5-6c8e9afc LeaveCriticalSection 95->101 97->89 102 6c8e9b4a-6c8e9b4f 98->102 103 6c8e9bb4-6c8e9bdb mprStopWorkers mprClearList mprStopModuleService mprDestroyEventService 98->103 99->80 100->99 101->96 105 6c8e9b64-6c8e9b67 102->105 106 6c8e9b51-6c8e9b55 102->106 104 6c8e9be0-6c8e9bec mprGC 103->104 107 6c8e9bee-6c8e9bf2 104->107 108 6c8e9bf4-6c8e9c09 104->108 110 6c8e9baa-6c8e9baf 105->110 111 6c8e9b69-6c8e9b75 105->111 106->105 109 6c8e9b57-6c8e9b5e EnterCriticalSection 106->109 107->104 107->108 112 6c8e9c0b-6c8e9c16 108->112 113 6c8e9c28-6c8e9c43 mprStopModuleService mprStopGCService WSACleanup 108->113 109->105 110->103 116 6c8e9bb1-6c8e9bb2 LeaveCriticalSection 110->116 114 6c8e9b77-6c8e9b7a LeaveCriticalSection 111->114 115 6c8e9b80-6c8e9b82 111->115 117 6c8e9c1d-6c8e9c25 mprTraceProc 112->117 118 6c8e9c18 112->118 119 6c8e9c45-6c8e9c4f mprError 113->119 120 6c8e9c52-6c8e9c5b 113->120 114->115 115->103 121 6c8e9b84-6c8e9ba8 115->121 116->103 117->113 118->117 119->120 121->98
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • mprShutdown.LIBMPR(?,00100000,?,?), ref: 6C8E9947
                                                                                                                                                                                    • Part of subcall function 6C8E96E0: EnterCriticalSection.KERNEL32(?), ref: 6C8E96FF
                                                                                                                                                                                    • Part of subcall function 6C8E96E0: LeaveCriticalSection.KERNEL32(?), ref: 6C8E9734
                                                                                                                                                                                  • mprGetTicks.LIBMPR ref: 6C8E996D
                                                                                                                                                                                  • PostMessageA.USER32(?,00000000,00000000,00000000), ref: 6C8E99C1
                                                                                                                                                                                  • mprWaitForCond.LIBMPR(?,000003E8,00000000), ref: 6C8E99DB
                                                                                                                                                                                  • mprGetTicks.LIBMPR ref: 6C8E99F4
                                                                                                                                                                                  • mprTraceProc.LIBMPR(00000002,Cancel termination due to continuing requests, application resumed.), ref: 6C8E9A63
                                                                                                                                                                                  • mprCancelShutdown.LIBMPR ref: 6C8E9A6B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cancel termination due to continuing requests, application resumed., xrefs: 6C8E9A5C
                                                                                                                                                                                  • mprRestart not supported on this platform, xrefs: 6C8E9C45
                                                                                                                                                                                  • Exiting, xrefs: 6C8E9C18
                                                                                                                                                                                  • Restarting, xrefs: 6C8E9C11, 6C8E9C1D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSectionShutdownTicks$CancelCondEnterLeaveMessagePostProcTraceWait
                                                                                                                                                                                  • String ID: Cancel termination due to continuing requests, application resumed.$Exiting$Restarting$mprRestart not supported on this platform
                                                                                                                                                                                  • API String ID: 1752463892-1881933816
                                                                                                                                                                                  • Opcode ID: 8042093d8099394777ee0a3b89598b45876e5a2527fad95ad4de990ff90ebd2f
                                                                                                                                                                                  • Instruction ID: 0cb612860ff29b333d793e55a8e0be4d416193bc3b221c2e1c3094e5949db51b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8042093d8099394777ee0a3b89598b45876e5a2527fad95ad4de990ff90ebd2f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6691A0317452109BDB24EB28DA44FE533B1BF8B70CF2989BCD8158BA51DBB1E849CB51
                                                                                                                                                                                  Function 6C8E96E0 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168windowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 140 6c8e96e0-6c8e96e7 141 6c8e970a-6c8e9716 140->141 142 6c8e96e9-6c8e96f0 140->142 143 6c8e973c-6c8e9744 141->143 144 6c8e9718-6c8e971a 141->144 142->141 145 6c8e96f2-6c8e96fc 142->145 148 6c8e9746-6c8e974d 143->148 149 6c8e9761-6c8e9783 143->149 146 6c8e991d-6c8e991e 144->146 147 6c8e9720-6c8e9727 144->147 145->141 150 6c8e96fe-6c8e9705 EnterCriticalSection 145->150 147->146 151 6c8e972d-6c8e973b LeaveCriticalSection 147->151 148->149 152 6c8e974f-6c8e975c LeaveCriticalSection 148->152 153 6c8e978f-6c8e9792 149->153 154 6c8e9785-6c8e9789 149->154 150->141 152->149 156 6c8e9795-6c8e97aa 153->156 155 6c8e978b-6c8e978d 154->155 154->156 155->153 155->156 157 6c8e97bf-6c8e97de mprGetTicks 156->157 158 6c8e97ac-6c8e97b8 156->158 159 6c8e980f-6c8e9817 157->159 160 6c8e97e0-6c8e97e3 157->160 158->157 161 6c8e9819-6c8e9824 mprTraceProc 159->161 162 6c8e9827-6c8e983c 159->162 163 6c8e98ec-6c8e98f5 160->163 164 6c8e97e9-6c8e97f2 160->164 161->162 171 6c8e983e-6c8e9856 mprCreateEvent 162->171 172 6c8e9859-6c8e986d mprWakeDispatchers 162->172 167 6c8e98f7-6c8e9902 mprTraceProc 163->167 168 6c8e9905-6c8e9906 exit 163->168 165 6c8e97f4-6c8e97ff mprTraceProc 164->165 166 6c8e9802-6c8e980c mprError 164->166 165->166 166->159 167->168 170 6c8e990c-6c8e9911 168->170 173 6c8e991a-6c8e991c 170->173 174 6c8e9913-6c8e9914 LeaveCriticalSection 170->174 171->172 175 6c8e986f-6c8e9874 172->175 176 6c8e988a-6c8e988d 172->176 173->146 174->173 175->176 177 6c8e9876-6c8e9884 PostMessageA 175->177 178 6c8e9890-6c8e989e 176->178 177->176 178->173 179 6c8e98a0-6c8e98a5 178->179 180 6c8e98a7-6c8e98ab 179->180 181 6c8e98b4-6c8e98b7 179->181 180->181 183 6c8e98ad-6c8e98ae EnterCriticalSection 180->183 181->170 182 6c8e98b9-6c8e98c5 181->182 184 6c8e98ce-6c8e98d0 182->184 185 6c8e98c7-6c8e98c8 LeaveCriticalSection 182->185 183->181 184->173 186 6c8e98d2-6c8e98ea 184->186 185->184 186->178
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C8E96FF
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C8E9734
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C8E9756
                                                                                                                                                                                  • mprGetTicks.LIBMPR ref: 6C8E97BF
                                                                                                                                                                                  • mprTraceProc.LIBMPR(00000003,Abort with restart.), ref: 6C8E97FA
                                                                                                                                                                                  • mprError.LIBMPR(mprRestart not supported on this platform), ref: 6C8E9807
                                                                                                                                                                                  • mprTraceProc.LIBMPR(00000003,Application exit, waiting for existing requests to complete.), ref: 6C8E981F
                                                                                                                                                                                  • mprCreateEvent.LIBMPR(00000000,shutdownMonitor,00000000,00000000,6C8E7BB0,00000000,00000003), ref: 6C8E9851
                                                                                                                                                                                  • mprWakeDispatchers.LIBMPR ref: 6C8E9859
                                                                                                                                                                                  • PostMessageA.USER32(?,00000000,00000000,00000000), ref: 6C8E9884
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C8E98AE
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C8E98C8
                                                                                                                                                                                  • mprTraceProc.LIBMPR(00000003,Abortive exit.), ref: 6C8E98FD
                                                                                                                                                                                  • exit.MSVCR100 ref: 6C8E9906
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C8E9914
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • shutdownMonitor, xrefs: 6C8E984A
                                                                                                                                                                                  • Abort with restart., xrefs: 6C8E97F4
                                                                                                                                                                                  • Application exit, waiting for existing requests to complete., xrefs: 6C8E9819
                                                                                                                                                                                  • mprRestart not supported on this platform, xrefs: 6C8E9802
                                                                                                                                                                                  • Abortive exit., xrefs: 6C8E98F7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$Leave$ProcTrace$Enter$CreateDispatchersErrorEventMessagePostTicksWakeexit
                                                                                                                                                                                  • String ID: Abort with restart.$Abortive exit.$Application exit, waiting for existing requests to complete.$mprRestart not supported on this platform$shutdownMonitor
                                                                                                                                                                                  • API String ID: 1188098924-749738587
                                                                                                                                                                                  • Opcode ID: 738c81ef15a793494c7937c2ec6118622012692d7f129c7c1dace8d735872988
                                                                                                                                                                                  • Instruction ID: c6aa9101349dec8dc164bd3f6d126466c85622cb7f28d1a21e989979e03de09c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 738c81ef15a793494c7937c2ec6118622012692d7f129c7c1dace8d735872988
                                                                                                                                                                                  • Instruction Fuzzy Hash: FA61A130706211ABD734DF24E944F9577B0BB4B708F2589ACEC199BBA1D771E845CB50
                                                                                                                                                                                  Function 6C8F4CD0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 153networkstringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCR100 ref: 6C8F4D39
                                                                                                                                                                                  • mprCreateSpinLock.LIBMPR ref: 6C8F4D9A
                                                                                                                                                                                  • gethostname.WS2_32 ref: 6C8F4DC5
                                                                                                                                                                                  • scopy.LIBMPR(?,00000400,localhost), ref: 6C8F4DDE
                                                                                                                                                                                  • mprError.LIBMPR(Cannot get host name. Using "localhost".,?,00000400,localhost), ref: 6C8F4DE8
                                                                                                                                                                                  • strchr.MSVCR100 ref: 6C8F4DF8
                                                                                                                                                                                  • scopy.LIBMPR(?,00000400,?,?,00000400), ref: 6C8F4E15
                                                                                                                                                                                  • scopy.LIBMPR(?,00000400,00000001,?,00000400,?,?,00000400), ref: 6C8F4E30
                                                                                                                                                                                  • mprSetServerName.LIBMPR(?,?,00000400,?,?,00000400), ref: 6C8F4E42
                                                                                                                                                                                  • mprSetDomainName.LIBMPR(?,?,?,00000400,?,?,00000400), ref: 6C8F4E4F
                                                                                                                                                                                  • mprSetHostName.LIBMPR(?,?,?,?,00000400,?,?,00000400), ref: 6C8F4E5C
                                                                                                                                                                                  • mprCreateList.LIBMPR(00000000,00000000,?,?,?,?,00000400,?,?,00000400), ref: 6C8F4E65
                                                                                                                                                                                  • socket.WS2_32(00000017,00000001,00000000), ref: 6C8F4E76
                                                                                                                                                                                  • closesocket.WS2_32(00000000), ref: 6C8F4E8A
                                                                                                                                                                                  • mprTraceProc.LIBMPR(00000001,This system does not have IPv6 support,?,?,?,?,?,00000400,?,?,00000400), ref: 6C8F4EBB
                                                                                                                                                                                    • Part of subcall function 6C8E6F20: mprPrintfCore.LIBMPR(?,00002000,?,?), ref: 6C8E6F52
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • localhost, xrefs: 6C8F4DCF
                                                                                                                                                                                  • Cannot get host name. Using "localhost"., xrefs: 6C8F4DE3
                                                                                                                                                                                  • This system does not have IPv6 support, xrefs: 6C8F4EB4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Namescopy$Create$CoreDomainErrorHostListLockPrintfProcServerSpinTraceclosesocketgethostnamememsetsocketstrchr
                                                                                                                                                                                  • String ID: Cannot get host name. Using "localhost".$This system does not have IPv6 support$localhost
                                                                                                                                                                                  • API String ID: 2941904441-3921791619
                                                                                                                                                                                  • Opcode ID: 9bff2ede015ebeabd4c112c4a17a7c350cd3e3c8b9ada581ee94002dc64eac88
                                                                                                                                                                                  • Instruction ID: a845fca7a21482ea7042045971c87c36296dbc775f906e1f062e0841a2b26187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9bff2ede015ebeabd4c112c4a17a7c350cd3e3c8b9ada581ee94002dc64eac88
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D5104B16043409AE7309B28DA05FDB77E4AFC1398F148E2DE665C6681EB74E14AC7A1
                                                                                                                                                                                  Function 6C8E49C0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 148registryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 222 6c8e49c0-6c8e49e5 call 6c8f9450 225 6c8e49e7-6c8e49ec 222->225 226 6c8e4a01-6c8e4a05 222->226 227 6c8e49f0-6c8e49f5 225->227 228 6c8e4a07-6c8e4a0f 226->228 227->227 229 6c8e49f7-6c8e49ff 227->229 228->228 230 6c8e4a11-6c8e4a15 228->230 229->226 229->230 231 6c8e4a18-6c8e4a1d 230->231 231->231 232 6c8e4a1f-6c8e4a2a 231->232 233 6c8e4a2c 232->233 234 6c8e4a40-6c8e4a6e 232->234 235 6c8e4a30-6c8e4a36 233->235 236 6c8e4b3e-6c8e4b52 RegisterEventSourceA 234->236 237 6c8e4a74-6c8e4acd fmt RegCreateKeyExA 234->237 235->234 238 6c8e4a38-6c8e4a3e 235->238 240 6c8e4b74-6c8e4b8a call 6c8f91ce 236->240 241 6c8e4b54-6c8e4b6e ReportEventA DeregisterEventSource 236->241 237->236 239 6c8e4acf-6c8e4aed RegSetValueExA 237->239 238->234 238->235 242 6c8e4aef-6c8e4b10 RegCloseKey call 6c8f91ce 239->242 243 6c8e4b11-6c8e4b31 RegSetValueExA 239->243 241->240 243->242 246 6c8e4b33-6c8e4b38 RegCloseKey 243->246 246->236
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • fmt.LIBMPR(?,00001000,SYSTEM\CurrentControlSet\Services\EventLog\Application\%s,?), ref: 6C8E4A99
                                                                                                                                                                                  • RegCreateKeyExA.KERNELBASE(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 6C8E4AC5
                                                                                                                                                                                  • RegSetValueExA.KERNELBASE(?,EventMessageFile,00000000,00000002,%SystemRoot%\System32\netmsg.dll,00000021), ref: 6C8E4AE9
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6C8E4AF4
                                                                                                                                                                                  • RegSetValueExA.KERNELBASE ref: 6C8E4B2D
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6C8E4B38
                                                                                                                                                                                  • RegisterEventSourceA.ADVAPI32(00000000,?), ref: 6C8E4B48
                                                                                                                                                                                  • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000CE3,00000000,00000009,00000000,?,00000000), ref: 6C8E4B67
                                                                                                                                                                                  • DeregisterEventSource.ADVAPI32(00000000), ref: 6C8E4B6E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • SYSTEM\CurrentControlSet\Services\EventLog\Application\%s, xrefs: 6C8E4A7D
                                                                                                                                                                                  • %SystemRoot%\System32\netmsg.dll, xrefs: 6C8E4ADB
                                                                                                                                                                                  • TypesSupported, xrefs: 6C8E4B1F
                                                                                                                                                                                  • EventMessageFile, xrefs: 6C8E4AE3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Event$CloseSourceValue$CreateDeregisterRegisterReport
                                                                                                                                                                                  • String ID: %SystemRoot%\System32\netmsg.dll$EventMessageFile$SYSTEM\CurrentControlSet\Services\EventLog\Application\%s$TypesSupported
                                                                                                                                                                                  • API String ID: 1095276338-4169126159
                                                                                                                                                                                  • Opcode ID: 93cf2ffdc26804317b07664e51a6b30484c643dfc542e70f84201e430a28302d
                                                                                                                                                                                  • Instruction ID: 4530aa735a3947b3168f149dddb9954f9cbd7043208b2ba100eca9de071a7bd5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 93cf2ffdc26804317b07664e51a6b30484c643dfc542e70f84201e430a28302d
                                                                                                                                                                                  • Instruction Fuzzy Hash: B4519271208350AFD320DF65C984EABB7E8FBC9388F404D2DF69997641D3709948CB92
                                                                                                                                                                                  Function 6C8EA3E0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 102windowthreadtimeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • mprDoWaitRecall.LIBMPR(?), ref: 6C8EA41B
                                                                                                                                                                                  • mprGetCurrentThread.LIBMPR ref: 6C8EA42E
                                                                                                                                                                                  • mprCreateWindow.LIBMPR(00000000), ref: 6C8EA43F
                                                                                                                                                                                  • mprError.LIBMPR(mprWaitForIO: Cannot get window), ref: 6C8EA456
                                                                                                                                                                                  • mprYield.LIBMPR(00000002), ref: 6C8EA46B
                                                                                                                                                                                  • SetTimer.USER32(?,00000000,7FFFFFFF,00000000), ref: 6C8EA477
                                                                                                                                                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 6C8EA485
                                                                                                                                                                                  • mprResetYield.LIBMPR ref: 6C8EA48F
                                                                                                                                                                                  • mprShutdown.LIBMPR(00000000,00000000,000000FF,000000FF), ref: 6C8EA49A
                                                                                                                                                                                  • mprResetYield.LIBMPR ref: 6C8EA4BC
                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 6C8EA4C6
                                                                                                                                                                                  • DispatchMessageA.USER32(?), ref: 6C8EA4D1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • mprWaitForIO: Cannot get window, xrefs: 6C8EA451
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageYield$Reset$CreateCurrentDispatchErrorRecallShutdownThreadTimerTranslateWaitWindow
                                                                                                                                                                                  • String ID: mprWaitForIO: Cannot get window
                                                                                                                                                                                  • API String ID: 1568713199-681859796
                                                                                                                                                                                  • Opcode ID: 8558e4a566630a3e2ba44f4f25a885c5d5247ded5fbc3d576091c018bd267aee
                                                                                                                                                                                  • Instruction ID: c6bc3e84b8cc0725edef33dbe4cfcc80af96a8ac5d5370490ab406fe8c9a8862
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8558e4a566630a3e2ba44f4f25a885c5d5247ded5fbc3d576091c018bd267aee
                                                                                                                                                                                  • Instruction Fuzzy Hash: 24212BB26052115BD720AF1CADC48DBB778FB4B23CB544F3EE52542A41D736A50986A3
                                                                                                                                                                                  Function 6C8F0100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemInfo.KERNELBASE(?), ref: 6C8F0114
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000FFF,00003000,00000004), ref: 6C8F015D
                                                                                                                                                                                  • memset.MSVCR100 ref: 6C8F017F
                                                                                                                                                                                  • mprVirtAlloc.LIBMPR ref: 6C8F01C2
                                                                                                                                                                                  • getenv.MSVCR100 ref: 6C8F02C9
                                                                                                                                                                                  • scmp.LIBMPR(00000000,?,00000000,00000C58), ref: 6C8F02D3
                                                                                                                                                                                  • mprCreateCond.LIBMPR(0003FEC8,?,?,?,00000000,00000C58), ref: 6C8F0312
                                                                                                                                                                                  • mprCreateList.LIBMPR(000000FF,00000020,0003FEC8,?,?,?,00000000,00000C58), ref: 6C8F0327
                                                                                                                                                                                  • mprAddItem.LIBMPR(00000000,00EA0020,000000FF,00000020,0003FEC8,?,?,?,00000000,00000C58), ref: 6C8F0340
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocCreate$CondInfoItemListSystemVirtVirtualgetenvmemsetscmp
                                                                                                                                                                                  • String ID: MPR_DISABLE_GC
                                                                                                                                                                                  • API String ID: 4082112180-2375395910
                                                                                                                                                                                  • Opcode ID: 1e39fafa0beaf532c15858aa4041cdf009c3043aec396bbff53c2d33fc109a84
                                                                                                                                                                                  • Instruction ID: 1057dd87df8516e694f53eefd57f88af24d4a232b08feb9a1c4a1e3fdadd322f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e39fafa0beaf532c15858aa4041cdf009c3043aec396bbff53c2d33fc109a84
                                                                                                                                                                                  • Instruction Fuzzy Hash: E85179B46087049FD754DF29D884BA2BBF0FB46318F1589BDD8598B751DB31A088CB80
                                                                                                                                                                                  Function 6C837EC4 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _lock.MSVCR100(00000008,6C837F98,00000018,6C86C0CB,00000001,00000001,00000000,?,6C86C0FC,000000FF,?,6C847507,00000011,00000001,?,6C8221A9), ref: 6C837EE6
                                                                                                                                                                                  • DecodePointer.KERNEL32(6C837F98,00000018,6C86C0CB,00000001,00000001,00000000,?,6C86C0FC,000000FF,?,6C847507,00000011,00000001,?,6C8221A9,0000000D), ref: 6C837F20
                                                                                                                                                                                  • DecodePointer.KERNEL32(?,6C86C0FC,000000FF,?,6C847507,00000011,00000001,?,6C8221A9,0000000D), ref: 6C837F35
                                                                                                                                                                                  • _encoded_null.MSVCR100(?,6C86C0FC,000000FF,?,6C847507,00000011,00000001,?,6C8221A9,0000000D), ref: 6C837F4C
                                                                                                                                                                                  • DecodePointer.KERNEL32(-00000004,?,6C86C0FC,000000FF,?,6C847507,00000011,00000001,?,6C8221A9,0000000D), ref: 6C837F5B
                                                                                                                                                                                  • _encoded_null.MSVCR100(?,6C86C0FC,000000FF,?,6C847507,00000011,00000001,?,6C8221A9,0000000D), ref: 6C837F5F
                                                                                                                                                                                  • DecodePointer.KERNEL32(?,6C86C0FC,000000FF,?,6C847507,00000011,00000001,?,6C8221A9,0000000D), ref: 6C837F6E
                                                                                                                                                                                  • DecodePointer.KERNEL32(?,6C86C0FC,000000FF,?,6C847507,00000011,00000001,?,6C8221A9,0000000D), ref: 6C837F78
                                                                                                                                                                                    • Part of subcall function 6C837E18: GetModuleHandleW.KERNEL32(00000000,6C837EDC,6C837F98,00000018,6C86C0CB,00000001,00000001,00000000,?,6C86C0FC,000000FF,?,6C847507,00000011,00000001), ref: 6C837E1A
                                                                                                                                                                                  • ___crtCorExitProcess.LIBCMT ref: 6C847405
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DecodePointer$_encoded_null$ExitHandleModuleProcess___crt_lock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 729311798-0
                                                                                                                                                                                  • Opcode ID: 21104474c1d129f5142ae783d19ac4f7f2aa47402d1e0c4d5f8d795a747a9804
                                                                                                                                                                                  • Instruction ID: 584259ae7b159981657069fd220cdb9f8e76754f1057e0ddd7ca289cb31f5907
                                                                                                                                                                                  • Opcode Fuzzy Hash: 21104474c1d129f5142ae783d19ac4f7f2aa47402d1e0c4d5f8d795a747a9804
                                                                                                                                                                                  • Instruction Fuzzy Hash: FF318170905259CFDF209FE8CF442DC7AF0BF85319F11697AD508A2A50DB748984DBD0
                                                                                                                                                                                  Function 6C86C789 Relevance: 15.1, APIs: 10, Instructions: 63threadCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C86C799
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C86C7A4
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • __set_flsgetvalue.MSVCR100 ref: 6C86C7AE
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000001,00000214), ref: 6C86C7BA
                                                                                                                                                                                  • _getptd.MSVCR100 ref: 6C86C7C7
                                                                                                                                                                                  • _initptd.MSVCR100(00000000,?), ref: 6C86C7D0
                                                                                                                                                                                  • CreateThread.KERNELBASE(?,?,6C86C724,00000000,?,?), ref: 6C86C7FE
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C86C808
                                                                                                                                                                                  • free.MSVCR100(00000000), ref: 6C86C811
                                                                                                                                                                                  • __dosmaperr.LIBCMT(00000000), ref: 6C86C81C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateErrorLastThread__dosmaperr__set_flsgetvalue_calloc_crt_errno_getptd_initptd_invalid_parameter_invalid_parameter_noinfofree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2355482382-0
                                                                                                                                                                                  • Opcode ID: 3c8c06770465300ed475de2941f678f40c781faf71fb2858eaed0c2fe09c5128
                                                                                                                                                                                  • Instruction ID: 0d893b5e830a1625074a12c1efcd1b8f90e2733c72ff427997f702798875f546
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3c8c06770465300ed475de2941f678f40c781faf71fb2858eaed0c2fe09c5128
                                                                                                                                                                                  • Instruction Fuzzy Hash: A311A032204756AF9B30AFAE9E49DCB37E8EF45378B100C39F91486E51DB39D84486E0
                                                                                                                                                                                  Function 6C8EDCA0 Relevance: 10.6, APIs: 7, Instructions: 92registryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6C8DD810: strchr.MSVCR100 ref: 6C8DD868
                                                                                                                                                                                    • Part of subcall function 6C8DD810: scaselesscmp.LIBMPR(?,HKEY_LOCAL_MACHINE,?,0000005C), ref: 6C8DD896
                                                                                                                                                                                    • Part of subcall function 6C8DD810: scaselesscmp.LIBMPR(?,HKLM,?,?,?,0000005C), ref: 6C8DD8AF
                                                                                                                                                                                    • Part of subcall function 6C8DD810: scaselesscmp.LIBMPR(00000000,HKEY_CURRENT_USER,?,?,?,?,?,0000005C), ref: 6C8DD8C4
                                                                                                                                                                                    • Part of subcall function 6C8DD810: scaselesscmp.LIBMPR(?,HKCU,?,?,?,?,?,?,?,0000005C), ref: 6C8DD8D9
                                                                                                                                                                                    • Part of subcall function 6C8DD810: scaselesscmp.LIBMPR(?,HKEY_USERS,?,?,?,?,?,?,?,?,?,0000005C), ref: 6C8DD8EE
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020019,?), ref: 6C8EDCD0
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 6C8EDCF9
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6C8EDD12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: scaselesscmp$CloseOpenQueryValuestrchr
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 759369415-0
                                                                                                                                                                                  • Opcode ID: 7cd341ab1c51c2c61c25fc1e78faafdcf5ff70f318236dc86e0d601061f37565
                                                                                                                                                                                  • Instruction ID: 28bd820141890c5f2ae000d8d000a9b882dd776d5e4c59b168e9eaa779b5569c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cd341ab1c51c2c61c25fc1e78faafdcf5ff70f318236dc86e0d601061f37565
                                                                                                                                                                                  • Instruction Fuzzy Hash: 44217472204302EFD720CE64ED80FAB73A8FBC5658F144D29F950C7240E634E909C792
                                                                                                                                                                                  Function 6C8E9D50 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 364 6c8e9d50-6c8e9d65 365 6c8e9d8b-6c8e9db7 CreateWindowExA 364->365 366 6c8e9d67-6c8e9d77 mprCreateWindowClass 364->366 368 6c8e9dc8-6c8e9dca 365->368 369 6c8e9db9-6c8e9dc6 mprError 365->369 366->365 367 6c8e9d79-6c8e9d8a mprError 366->367 369->368
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • mprCreateWindowClass.LIBMPR(?), ref: 6C8E9D68
                                                                                                                                                                                    • Part of subcall function 6C8E9CE0: RegisterClassA.USER32 ref: 6C8E9D20
                                                                                                                                                                                    • Part of subcall function 6C8E9CE0: mprError.LIBMPR(Cannot register windows class), ref: 6C8E9D33
                                                                                                                                                                                  • mprError.LIBMPR(Cannot create window class), ref: 6C8E9D7E
                                                                                                                                                                                    • Part of subcall function 6C8E7010: mprPrintfCore.LIBMPR(?,00002000,?,?,6C8E5F72,Cannot open log file %s,?), ref: 6C8E7042
                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,00000000,?,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C8E9DA8
                                                                                                                                                                                  • mprError.LIBMPR(Cannot create window), ref: 6C8E9DBE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot create window, xrefs: 6C8E9DB9
                                                                                                                                                                                  • Cannot create window class, xrefs: 6C8E9D79
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$ClassCreateWindow$CorePrintfRegister
                                                                                                                                                                                  • String ID: Cannot create window$Cannot create window class
                                                                                                                                                                                  • API String ID: 2117133146-1593879683
                                                                                                                                                                                  • Opcode ID: c4f1902e9d80605c198355471cdab23be9e04459e178676639e3c16542adba91
                                                                                                                                                                                  • Instruction ID: edd262566866349f6a21c109f9374eead3083127c54db8304382daec3b7037da
                                                                                                                                                                                  • Opcode Fuzzy Hash: c4f1902e9d80605c198355471cdab23be9e04459e178676639e3c16542adba91
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0F675704210AAD370AB69BC00FD673B4BF86759F194D3DF84597A42E7B0E505C292
                                                                                                                                                                                  Function 6C8F3B80 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCR100(00000008,?,?), ref: 6C8F3C08
                                                                                                                                                                                  • GetModuleFileNameA.KERNELBASE(00000000,000003FF,000003FF), ref: 6C8F3C3A
                                                                                                                                                                                  • mprGetAbsPath.LIBMPR ref: 6C8F3C5D
                                                                                                                                                                                    • Part of subcall function 6C8F3AC0: mprNormalizePath.LIBMPR(6C8FC79C), ref: 6C8F3B02
                                                                                                                                                                                    • Part of subcall function 6C8F3AC0: mprMapSeparators.LIBMPR(00000000,?,6C8FC79C), ref: 6C8F3B11
                                                                                                                                                                                  • sclone.LIBMPR(?), ref: 6C8F3C74
                                                                                                                                                                                    • Part of subcall function 6C8DC720: mprAllocFast.LIBMPR(?), ref: 6C8DC744
                                                                                                                                                                                    • Part of subcall function 6C8DC720: memcpy.MSVCR100(00000000,?,?), ref: 6C8DC755
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Pathmemcpy$AllocFastFileModuleNameNormalizeSeparatorssclone
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1560716922-0
                                                                                                                                                                                  • Opcode ID: 9f088e8d1d11b566c1cbac3f55d29aaa0a450bfd88b35fa7d7c3a17f46129a9a
                                                                                                                                                                                  • Instruction ID: 2297d46a64a6cffceec42f0cae3d6fdb0606fdea9924b5911c1c69f32b0796c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f088e8d1d11b566c1cbac3f55d29aaa0a450bfd88b35fa7d7c3a17f46129a9a
                                                                                                                                                                                  • Instruction Fuzzy Hash: C92106B27041005BD3349B2CDA55B97B3E4AF84788F44093DDB69D7351EB34D80AC38A
                                                                                                                                                                                  Function 6C8E1330 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 395 6c8e1330-6c8e1337 396 6c8e134d-6c8e1369 _beginthreadex 395->396 397 6c8e1339-6c8e133e 395->397 399 6c8e136b-6c8e136d 396->399 400 6c8e1384-6c8e1392 396->400 397->396 398 6c8e1340-6c8e1344 397->398 398->396 403 6c8e1346-6c8e1347 EnterCriticalSection 398->403 404 6c8e136f-6c8e1374 399->404 405 6c8e137d-6c8e1383 399->405 401 6c8e139b-6c8e139e 400->401 402 6c8e1394-6c8e1395 LeaveCriticalSection 400->402 402->401 403->396 404->405 406 6c8e1376-6c8e1377 LeaveCriticalSection 404->406 406->405
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C8E1347
                                                                                                                                                                                  • _beginthreadex.MSVCR100 ref: 6C8E135E
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C8E1377
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C8E1395
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$Leave$Enter_beginthreadex
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1916746806-0
                                                                                                                                                                                  • Opcode ID: ffef1d2dd41880bede60022caace82b3236f6b47311c042126d5307843d35dbb
                                                                                                                                                                                  • Instruction ID: 2fd2b06ec3077869b4335464b3bf07b6d0fea86ac37430e5b536969d60acd6c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: ffef1d2dd41880bede60022caace82b3236f6b47311c042126d5307843d35dbb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 00016231A06B21ABD6308F24A944F9B77B4AF4AB59F164D58FC65A7E45C334E840C7D0
                                                                                                                                                                                  Function 6C8DDC00 Relevance: 6.0, APIs: 4, Instructions: 40sleepCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 407 6c8ddc00-6c8ddc11 408 6c8ddc20-6c8ddc25 407->408 409 6c8ddc13-6c8ddc17 407->409 411 6c8ddc37-6c8ddc3c 408->411 412 6c8ddc27-6c8ddc31 SetEvent 408->412 409->408 410 6c8ddc19-6c8ddc1a EnterCriticalSection 409->410 410->408 413 6c8ddc3e-6c8ddc3f LeaveCriticalSection 411->413 414 6c8ddc45-6c8ddc52 411->414 412->411 413->414 415 6c8ddc7d-6c8ddc7e 414->415 416 6c8ddc54-6c8ddc5b 414->416 417 6c8ddc60-6c8ddc66 416->417 418 6c8ddc7c 417->418 419 6c8ddc68-6c8ddc7a Sleep 417->419 418->415 419->417 419->418
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C8DDC1A
                                                                                                                                                                                  • SetEvent.KERNEL32 ref: 6C8DDC31
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C8DDC3F
                                                                                                                                                                                  • Sleep.KERNELBASE(00000001), ref: 6C8DDC6A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$EnterEventLeaveSleep
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1925615494-0
                                                                                                                                                                                  • Opcode ID: d68b1694b24715f9a605e83403e7021cac8765fbcdec29a7b51d53bd220c03db
                                                                                                                                                                                  • Instruction ID: 54434a9a154d31f228f95694858476476715cfbeab6dcd9ed3440d8e791f1035
                                                                                                                                                                                  • Opcode Fuzzy Hash: d68b1694b24715f9a605e83403e7021cac8765fbcdec29a7b51d53bd220c03db
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83015E31704A10DFDB209B15E648F56B7F4BB45719F1748AEE859A7650C3B0B841CFA0
                                                                                                                                                                                  Function 00EE1BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16serviceCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00EE1BD6
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service manager), ref: 00EE1BE7
                                                                                                                                                                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00EE1C04
                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00EE1C11
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service), ref: 00EE1C1C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot open service manager, xrefs: 00EE1BE2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorOpenService$CloseHandleManager
                                                                                                                                                                                  • String ID: Cannot open service manager
                                                                                                                                                                                  • API String ID: 261947648-2588921198
                                                                                                                                                                                  • Opcode ID: 69c20e60a57e2bd2b58e6c22b3a58bf71121f25f457a1c695c9036ae199f313b
                                                                                                                                                                                  • Instruction ID: 6579d41d9240f47b3de8debe4761fd071635954a3ad43410c2f512f54a039f85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 69c20e60a57e2bd2b58e6c22b3a58bf71121f25f457a1c695c9036ae199f313b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3DD09EF1380399ABE6556BD29C86B5533546715745F0010A0B6046A1D2DAF195489551
                                                                                                                                                                                  Function 6C86C6C3 Relevance: 4.5, APIs: 3, Instructions: 19COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _getptd.MSVCR100(6C86C708,0000000C,6C86C788,?), ref: 6C86C6CF
                                                                                                                                                                                  • _endthreadex.MSVCR100(00000000), ref: 6C86C6DF
                                                                                                                                                                                    • Part of subcall function 6C86C6A4: __freeptd.LIBCMT ref: 6C86C6B3
                                                                                                                                                                                    • Part of subcall function 6C86C6A4: ExitThread.KERNEL32 ref: 6C86C6BC
                                                                                                                                                                                  • __XcptFilter.LIBCMT(?,?,00000000), ref: 6C86C6F0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExitFilterThreadXcpt__freeptd_endthreadex_getptd
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1851418559-0
                                                                                                                                                                                  • Opcode ID: 714494c973bf5835b2671e405a76982380bb83be99d00e3c13966bbf1b6bcf86
                                                                                                                                                                                  • Instruction ID: 7962dd512a16da143e40edb1fb4123251576eeb02be129385d8dff5889dedcde
                                                                                                                                                                                  • Opcode Fuzzy Hash: 714494c973bf5835b2671e405a76982380bb83be99d00e3c13966bbf1b6bcf86
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11E08CB0900200AFEB28EBA8CE18EBE7774AF45204F20085CE0015BBA1CB399C44EB20
                                                                                                                                                                                  Function 6C86C6A4 Relevance: 3.0, APIs: 2, Instructions: 11threadCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6C820698: GetLastError.KERNEL32(6C813238,?,6C8207BA,6C8B7F62), ref: 6C82069C
                                                                                                                                                                                    • Part of subcall function 6C820698: __set_flsgetvalue.MSVCR100 ref: 6C8206AA
                                                                                                                                                                                    • Part of subcall function 6C820698: SetLastError.KERNEL32(00000000), ref: 6C8206BC
                                                                                                                                                                                  • __freeptd.LIBCMT ref: 6C86C6B3
                                                                                                                                                                                    • Part of subcall function 6C822539: TlsGetValue.KERNEL32(?,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C82255A
                                                                                                                                                                                    • Part of subcall function 6C822539: TlsGetValue.KERNEL32(?,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C82256C
                                                                                                                                                                                    • Part of subcall function 6C822539: DecodePointer.KERNEL32(00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C822582
                                                                                                                                                                                    • Part of subcall function 6C822539: _freefls.MSVCR100(00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C82258D
                                                                                                                                                                                    • Part of subcall function 6C822539: TlsSetValue.KERNEL32(00000002,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C82259F
                                                                                                                                                                                  • ExitThread.KERNEL32 ref: 6C86C6BC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$ErrorLast$DecodeExitPointerThread__freeptd__set_flsgetvalue_freefls
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 347067750-0
                                                                                                                                                                                  • Opcode ID: 16c74f4a2cda60963d8d1aebcc8592a76fda483905a6ebb35bd08ccea3451e34
                                                                                                                                                                                  • Instruction ID: 9ac74c82d640dc5399a1188dedf4621a21fa8789e3ade70ddd6120997d518021
                                                                                                                                                                                  • Opcode Fuzzy Hash: 16c74f4a2cda60963d8d1aebcc8592a76fda483905a6ebb35bd08ccea3451e34
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AC08C300002482EDFB02BA6DA1D84A3A6D8B80118B1008357C0881D00DF2CDD94C4D4
                                                                                                                                                                                  Function 6C837EAC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ___crtCorExitProcess.LIBCMT ref: 6C837EB4
                                                                                                                                                                                    • Part of subcall function 6C837E57: GetModuleHandleW.KERNEL32(mscoree.dll,?,6C837EB9,00000001,?,6C8474B5,000000FF,0000001E,6C82AA18,0000000C,6C8474F7,00000001,00000001,?,6C8221A9,0000000D), ref: 6C837E61
                                                                                                                                                                                    • Part of subcall function 6C837E57: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C837E71
                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 6C837EBD
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2427264223-0
                                                                                                                                                                                  • Opcode ID: 41ff1a40cb1fdc02cee270796698f0d902f4e980bca3c5ab0ac4a3b9428a0447
                                                                                                                                                                                  • Instruction ID: e06c3523a4d85e9cb866ea6fcbdf44d44f07a95c4a91375913f46967cf747fa2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 41ff1a40cb1fdc02cee270796698f0d902f4e980bca3c5ab0ac4a3b9428a0447
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAB09B3100018CFFCF211F55DD098497F65DB416647105034F41C05560DF71DD52F5D0
                                                                                                                                                                                  Function 6C837FE0 Relevance: 1.5, APIs: 1, Instructions: 7COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _unlock.MSVCR100(00000008,6C837FC0,6C837F98,00000018,6C86C0CB,00000001,00000001,00000000,?,6C86C0FC,000000FF,?,6C847507,00000011,00000001), ref: 6C837FE9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _unlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2480363372-0
                                                                                                                                                                                  • Opcode ID: b130028ab0cd65cf7bb74338deddde45a3c7265e0161153ec8c473bb1ae8a34e
                                                                                                                                                                                  • Instruction ID: 33392fbf8efe8991ec5946cbd5aaa1e6486f9105a96db3c5c1e5f986f2ad674c
                                                                                                                                                                                  • Opcode Fuzzy Hash: b130028ab0cd65cf7bb74338deddde45a3c7265e0161153ec8c473bb1ae8a34e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 60B0122044829DC9D7300D8C4F04FC411103780B1AF807E28D45804CC04BB88188C2D0
                                                                                                                                                                                  Function 6C8EA890 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,?), ref: 6C8EA91B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4275171209-0
                                                                                                                                                                                  • Opcode ID: dbca10b4a0819e25e2beb3c335b0f238c214e07f28a9229494a9c65ffb65bcb6
                                                                                                                                                                                  • Instruction ID: 5a7bffb405f0455a84f126a5c5be346ab27fbc01959a8a544e8985477fab70a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: dbca10b4a0819e25e2beb3c335b0f238c214e07f28a9229494a9c65ffb65bcb6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B11E5343082259FE720CA54CA84FD63BB9FB8BB5DF16487AD4548BA01D731E8479751
                                                                                                                                                                                  Function 6C8D2F30 Relevance: 1.3, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 6C8D2F99
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2279016841.000000006C8D1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6C8D0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2279000316.000000006C8D0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279049607.000000006C8FA000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279072571.000000006C903000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2279094227.000000006C904000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c8d0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                  • Opcode ID: aaeb0a1c4c61d2faf6ef84949a96b72b6df7366a1ce1a074008ed3d0f3490404
                                                                                                                                                                                  • Instruction ID: 908e14c097fe9bea13ccf442a5b502562b966753389b358772fdf7d2313c5ecd
                                                                                                                                                                                  • Opcode Fuzzy Hash: aaeb0a1c4c61d2faf6ef84949a96b72b6df7366a1ce1a074008ed3d0f3490404
                                                                                                                                                                                  • Instruction Fuzzy Hash: 260126793052815BCF24CB14C588EEAF7B2AF87218B1688DEE8948B311C336BC03C751

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 00EE2350 Relevance: 72.2, APIs: 26, Strings: 15, Instructions: 432memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • mprParseArgs.LIBMPR ref: 00EE2371
                                                                                                                                                                                  • mprCreate.LIBMPR(00000001,00000000,00000000), ref: 00EE2381
                                                                                                                                                                                  • mprAllocMem.LIBMPR(00000054,00000003,Function_00001000), ref: 00EE2397
                                                                                                                                                                                  • mprSetManager.LIBMPR(00000000,?,Function_00001000), ref: 00EE23A0
                                                                                                                                                                                  • mprAddRoot.LIBMPR(00000000,00000000,?,Function_00001000), ref: 00EE23AB
                                                                                                                                                                                  • mprAddTerminator.LIBMPR(00EE1B10,00000000,00000000,?,Function_00001000), ref: 00EE23B5
                                                                                                                                                                                    • Part of subcall function 00EE1A80: sclone.LIBMPR(RDM Corporation,00EE23C6,00EE1B10,00000000,00000000,?,Function_00001000), ref: 00EE1A94
                                                                                                                                                                                    • Part of subcall function 00EE1A80: sclone.LIBMPR(RDMAppweb), ref: 00EE1AA7
                                                                                                                                                                                    • Part of subcall function 00EE1A80: mprGetAppDir.LIBMPR(00EE44D0,RDMAppweb,.exe,00000000), ref: 00EE1AC9
                                                                                                                                                                                    • Part of subcall function 00EE1A80: sjoin.LIBMPR(00000000,00EE44D0,RDMAppweb,.exe,00000000), ref: 00EE1ACF
                                                                                                                                                                                  • mprSetLogHandler.LIBMPR(Function_00001AF0,00EE1B10,00000000,00000000,?,Function_00001000), ref: 00EE23CB
                                                                                                                                                                                  • mprSetWinMsgCallback.LIBMPR(Function_00001E30,Function_00001AF0,00EE1B10,00000000,00000000,?,Function_00001000), ref: 00EE23D5
                                                                                                                                                                                  • atoi.MSVCR100(?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE255F
                                                                                                                                                                                  • sclone.LIBMPR(?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE25BA
                                                                                                                                                                                  • sclone.LIBMPR(?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE260B
                                                                                                                                                                                  • mprStartLogging.LIBMPR(00000000,00000000,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE261C
                                                                                                                                                                                  • mprSetCmdlineLogging.LIBMPR(00000001,00000000,00000000,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE2623
                                                                                                                                                                                  • sclone.LIBMPR(?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE2677
                                                                                                                                                                                  • sclone.LIBMPR(?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE26C8
                                                                                                                                                                                  • mprSetLogLevel.LIBMPR(00000001,?,?,?,?,?,?,?,Function_00001000), ref: 00EE273B
                                                                                                                                                                                  • stitle.LIBMPR(?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE2756
                                                                                                                                                                                  • sfmt.LIBMPR(00EE4934,00000000,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE2761
                                                                                                                                                                                  • mprStart.LIBMPR(?,?,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE2772
                                                                                                                                                                                  • mprGetAppName.LIBMPR(?,?,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE277B
                                                                                                                                                                                  • mprError.LIBMPR(Cannot start MPR for %s,00000000,?,?,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE2786
                                                                                                                                                                                  • mprDestroy.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE278E
                                                                                                                                                                                  • mprGetAppName.LIBMPR(?,?,?,?,?,?,?,Function_00001000), ref: 00EE27A2
                                                                                                                                                                                  • mprEprintf.LIBMPR(Bad command line: %s Usage: %s [options] [program args] Switches: --args # Args to pass to service --continue # Continue on errors --console # Display the service console --heartBeat interval # Heart beat ,?,00000000,?,?,?,?,?,?,?,Function_00001000), ref: 00EE27B5
                                                                                                                                                                                  • mprDestroy.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE27E0
                                                                                                                                                                                  • mprDestroy.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,Function_00001000), ref: 00EE2815
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: sclone$Destroy$LoggingNameStart$AllocArgsCallbackCmdlineCreateEprintfErrorHandlerLevelManagerParseRootTerminatoratoisfmtsjoinstitle
                                                                                                                                                                                  • String ID: --args$--console$--continue$--daemon$--heartBeat$--home$--log$--name$--program$--verbose$8I$Bad command line: %s Usage: %s [options] [program args] Switches: --args # Args to pass to service --continue # Continue on errors --console # Display the service console --heartBeat interval # Heart beat $Cannot start MPR for %s$RDMAppwebManager$run
                                                                                                                                                                                  • API String ID: 1060576990-4124357925
                                                                                                                                                                                  • Opcode ID: 58d90b72ca9fbc494122a09b2b1997d93dd15e9cb9edc3d9d5407490a79857f9
                                                                                                                                                                                  • Instruction ID: e8861f117a21b0d4d6389e63ad3efbe0bfae1b92719cf1e35bb48a574b0152dd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 58d90b72ca9fbc494122a09b2b1997d93dd15e9cb9edc3d9d5407490a79857f9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86D1ACB1B891CD46CB295F33587177A779A5BE2324F4C32ADDAD27B2C2E6139C498301
                                                                                                                                                                                  Function 00EE15F0 Relevance: 61.4, APIs: 23, Strings: 12, Instructions: 200serviceCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00EE160E
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service manager), ref: 00EE161F
                                                                                                                                                                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00EE164F
                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 00EE167F
                                                                                                                                                                                  • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000004,00000001,?,00000000,00000000,00EE445E,00000000,00000000), ref: 00EE16B2
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00EE16C2
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00EE16C5
                                                                                                                                                                                  • mprError.LIBMPR(Cannot create service: 0x%x == %d,00000000), ref: 00EE16CD
                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00EE16D6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Description, xrefs: 00EE177F
                                                                                                                                                                                  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%s, xrefs: 00EE1762
                                                                                                                                                                                  • Cannot write Args key to registry, xrefs: 00EE1840
                                                                                                                                                                                  • Cannot open service manager, xrefs: 00EE161A
                                                                                                                                                                                  • RDM Appweb Micro HTTP Server, xrefs: 00EE1776
                                                                                                                                                                                  • Args, xrefs: 00EE182E
                                                                                                                                                                                  • Cannot write %s key to registry, xrefs: 00EE1732
                                                                                                                                                                                  • Cannot create service: 0x%x == %d, xrefs: 00EE16C8
                                                                                                                                                                                  • Cannot write service Description key to registry, xrefs: 00EE1791
                                                                                                                                                                                  • HomeDir, xrefs: 00EE17DF
                                                                                                                                                                                  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, xrefs: 00EE1701
                                                                                                                                                                                  • Cannot write HomeDir key to registry, xrefs: 00EE17F1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Service$LastOpen$CloseCreateFileHandleManagerModuleName
                                                                                                                                                                                  • String ID: Args$Cannot create service: 0x%x == %d$Cannot open service manager$Cannot write %s key to registry$Cannot write Args key to registry$Cannot write HomeDir key to registry$Cannot write service Description key to registry$Description$HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services$HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%s$HomeDir$RDM Appweb Micro HTTP Server
                                                                                                                                                                                  • API String ID: 2875201899-1820741915
                                                                                                                                                                                  • Opcode ID: cd46fc6bd7d27d41f5cc6a94fb5fee92e2a33b38bcce1b99860206b901d1d124
                                                                                                                                                                                  • Instruction ID: f658416aac2920a26d63442636bc1d5adc34790615eb6844f0c946503975391c
                                                                                                                                                                                  • Opcode Fuzzy Hash: cd46fc6bd7d27d41f5cc6a94fb5fee92e2a33b38bcce1b99860206b901d1d124
                                                                                                                                                                                  • Instruction Fuzzy Hash: D851D6B1740388AFE724EB73DC47F9A33D8AB98710F442058F619BB1D2EA749548C692
                                                                                                                                                                                  Function 00EE1880 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 85serviceCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00EE188D
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service manager), ref: 00EE189E
                                                                                                                                                                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00EE18BB
                                                                                                                                                                                  • mprError.LIBMPR(Cannot access service), ref: 00EE18D0
                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00EE18D9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot open service manager, xrefs: 00EE1899
                                                                                                                                                                                  • Cannot access service, xrefs: 00EE18CB
                                                                                                                                                                                  • Cannot change service: 0x%x == %d, xrefs: 00EE191A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorOpenService$CloseHandleManager
                                                                                                                                                                                  • String ID: Cannot access service$Cannot change service: 0x%x == %d$Cannot open service manager
                                                                                                                                                                                  • API String ID: 261947648-3909125269
                                                                                                                                                                                  • Opcode ID: ac3119b9556c827172251969bba39e1650126783da940b249b53caf102ba90f0
                                                                                                                                                                                  • Instruction ID: cd8c4ee46d7fc535e3c22e707d82e89b09d6c5d53db3e7f50fa2bfb5c821227a
                                                                                                                                                                                  • Opcode Fuzzy Hash: ac3119b9556c827172251969bba39e1650126783da940b249b53caf102ba90f0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41113BB274036C7FE621A7A7ACC6FAB2758DB817B1F000171FB00BB1D1DBA09C495291
                                                                                                                                                                                  Function 00EE1955 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 64serviceCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00EE1966
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service manager), ref: 00EE1977
                                                                                                                                                                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00EE1994
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service), ref: 00EE19A5
                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00EE19AE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot open service manager, xrefs: 00EE1972
                                                                                                                                                                                  • Cannot open service, xrefs: 00EE19A0
                                                                                                                                                                                  • Cannot start %s service: 0x%x, xrefs: 00EE19E8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorOpenService$CloseHandleManager
                                                                                                                                                                                  • String ID: Cannot open service$Cannot open service manager$Cannot start %s service: 0x%x
                                                                                                                                                                                  • API String ID: 261947648-2720305272
                                                                                                                                                                                  • Opcode ID: f9ee656ee8d66c56e23ba190eb183ef7a4c83f8831a72fd581253cc05db800e4
                                                                                                                                                                                  • Instruction ID: ea5d7ac6b585d8355258f40e492b9d60a8596d2f9b608d8dd3c2fbd6eec80076
                                                                                                                                                                                  • Opcode Fuzzy Hash: f9ee656ee8d66c56e23ba190eb183ef7a4c83f8831a72fd581253cc05db800e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 13016FF27403A8BFC66167A7BC89FAB37649BC5720F001064F7047B2D5DA6088899662
                                                                                                                                                                                  Function 00EE1000 Relevance: 21.2, APIs: 14, Instructions: 215COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9d8347aae41af9af5504cc801c26b4d3a37accaa586eb7a015880e90e08e070f
                                                                                                                                                                                  • Instruction ID: 62cf78f04dd376a3e2623d9103acd5b3a0017a1dcadfeee7e9a3e38c2c3bc61a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d8347aae41af9af5504cc801c26b4d3a37accaa586eb7a015880e90e08e070f
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC91AF741541D44FF325D72AC4B3AAABBF0AF06324F29D5D8DA812F762C27498C9C750
                                                                                                                                                                                  Function 00EE1510 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 67serviceCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00EE1528
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service manager), ref: 00EE1539
                                                                                                                                                                                  • GetServiceDisplayNameA.ADVAPI32(00000000,?,?), ref: 00EE1571
                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00EE157C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot open service manager, xrefs: 00EE1534
                                                                                                                                                                                  • Could not start the service control dispatcher: 0x%x, xrefs: 00EE15B3
                                                                                                                                                                                  • P, xrefs: 00EE1563
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Service$CloseDisplayErrorHandleManagerNameOpen
                                                                                                                                                                                  • String ID: Cannot open service manager$Could not start the service control dispatcher: 0x%x$P
                                                                                                                                                                                  • API String ID: 1357429922-434568674
                                                                                                                                                                                  • Opcode ID: 9b07a3f0da3453854f80ecdcc6ff4836137ebeb0c5e505a97763b84e4c6b97cc
                                                                                                                                                                                  • Instruction ID: bb5825f599bd50850b122700d2c44d2ab249a1023d772c2210636ccd47803a2f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b07a3f0da3453854f80ecdcc6ff4836137ebeb0c5e505a97763b84e4c6b97cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D1106B16006889FD611BF66DC46BAF73D5AF98710F80041DF50AAB290EB74890C87C3
                                                                                                                                                                                  Function 6C86CC23 Relevance: 7.5, APIs: 5, Instructions: 47fileCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _malloc_crt.MSVCR100(00000354,?,?,6C86CD28,?,00000000,-00000002,6C8C4BD8), ref: 6C86CC3D
                                                                                                                                                                                    • Part of subcall function 6C820CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6C82AB90,00000018,6C82AA18,0000000C,6C8474F7,00000001,00000001,?,6C8221A9,0000000D), ref: 6C820CE5
                                                                                                                                                                                  • FindClose.KERNEL32(?,?,?,6C86CD28,?,00000000,-00000002,6C8C4BD8), ref: 6C86CC5A
                                                                                                                                                                                  • FindFirstFileExW.KERNEL32(-00000002,00000000,00000000,00000000,00000000,?,?,6C86CD28,?,00000000,-00000002,6C8C4BD8), ref: 6C86CC73
                                                                                                                                                                                  • FindNextFileW.KERNEL32(?,?,6C86CD28,?,00000000,-00000002,6C8C4BD8), ref: 6C86CC9A
                                                                                                                                                                                  • FindClose.KERNEL32(?,6C86CD28,?,00000000,-00000002,6C8C4BD8), ref: 6C86CCAA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Find$CloseFile$FirstNext_malloc_crtmalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1203757345-0
                                                                                                                                                                                  • Opcode ID: b47e9ca1cdb7cfe9d6d8c03643f00ac58c9d597f93521b7721f63d8e7724c54f
                                                                                                                                                                                  • Instruction ID: eb8727fa2457b66706e4cbd8fa0a06099a28c8b9d295004cec503f9bab5d60f5
                                                                                                                                                                                  • Opcode Fuzzy Hash: b47e9ca1cdb7cfe9d6d8c03643f00ac58c9d597f93521b7721f63d8e7724c54f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 63012D30A05910AFCF317B2FCA499873EB9F70676D3118D35F015C6951D2348690DBE0
                                                                                                                                                                                  Function 00EE12A0 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 193synchronizationprocessCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • sfmt.LIBMPR(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%s,?), ref: 00EE12BB
                                                                                                                                                                                  • mprReadRegistry.LIBMPR(00000000,HomeDir,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%s,?), ref: 00EE12C8
                                                                                                                                                                                  • mprReadRegistry.LIBMPR(00000000,Args,00000000,HomeDir,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%s,?), ref: 00EE12DC
                                                                                                                                                                                  • mprGetAppDir.LIBMPR(RDMAppweb), ref: 00EE12F9
                                                                                                                                                                                  • sfmt.LIBMPR("%s\%s.exe",00000000,RDMAppweb), ref: 00EE1304
                                                                                                                                                                                  • sfmt.LIBMPR("%s",?), ref: 00EE1314
                                                                                                                                                                                  • sfmt.LIBMPR(%s %s,00000000,?), ref: 00EE1334
                                                                                                                                                                                  • mprGetTicks.LIBMPR ref: 00EE1353
                                                                                                                                                                                  • mprGetElapsedTicks.LIBMPR(00000000), ref: 00EE1372
                                                                                                                                                                                  • mprGetTicks.LIBMPR ref: 00EE1387
                                                                                                                                                                                  • mprGetAppName.LIBMPR(?), ref: 00EE13C4
                                                                                                                                                                                  • mprError.LIBMPR(Too many restarts for %s, %d in ths last hour,00000000,?), ref: 00EE13CF
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 00EE13E8
                                                                                                                                                                                  • memset.MSVCR100 ref: 00EE13FB
                                                                                                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?), ref: 00EE1428
                                                                                                                                                                                  • mprGetOsError.LIBMPR ref: 00EE1432
                                                                                                                                                                                  • mprError.LIBMPR(Cannot create process: %s, %d,?,00000000), ref: 00EE143E
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 00EE1466
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00EE147F
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00EE149D
                                                                                                                                                                                  • mprGetMpr.LIBMPR ref: 00EE14AC
                                                                                                                                                                                  • mprLogProc.LIBMPR(00000001,%s has exited with status %d,?,?), ref: 00EE14CF
                                                                                                                                                                                  • mprGetMpr.LIBMPR ref: 00EE14D7
                                                                                                                                                                                  • mprLogProc.LIBMPR(00000001,%s will be restarted in 10 seconds,?), ref: 00EE14F1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: sfmt$ErrorTicks$ObjectProcProcessReadRegistrySingleWait$CloseCodeCreateElapsedExitHandleNamememset
                                                                                                                                                                                  • String ID: "%s"$"%s\%s.exe"$%s %s$%s has exited with status %d$%s will be restarted in 10 seconds$Args$Cannot create process: %s, %d$D$HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%s$HomeDir$RDMAppweb$Too many restarts for %s, %d in ths last hour
                                                                                                                                                                                  • API String ID: 1797510928-2272421404
                                                                                                                                                                                  • Opcode ID: eb2d02bf818c41890510db3e1b5e0a3ed06ab4f03c9298195455ace5dc017c5f
                                                                                                                                                                                  • Instruction ID: 91d43a906e1e0579d5b0d56c1da2837ed41d212f2f885bca7de13841013c0a24
                                                                                                                                                                                  • Opcode Fuzzy Hash: eb2d02bf818c41890510db3e1b5e0a3ed06ab4f03c9298195455ace5dc017c5f
                                                                                                                                                                                  • Instruction Fuzzy Hash: F861C4B5A0039C9FC720EF63DC8592A73F8EB58355B0065ACF9057B661D370AD89CBA1
                                                                                                                                                                                  Function 6C830AC7 Relevance: 42.3, APIs: 28, Instructions: 254COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C830B2C
                                                                                                                                                                                  • _waccess_s.MSVCR100(?,00000000), ref: 6C830B36
                                                                                                                                                                                    • Part of subcall function 6C8227B6: GetFileAttributesW.KERNEL32(?), ref: 6C8227D7
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C830B43
                                                                                                                                                                                  • _wdupenv_s.MSVCR100(?,00000000,?), ref: 6C830B66
                                                                                                                                                                                    • Part of subcall function 6C82FD24: _lock.MSVCR100(00000007,6C82FD98,0000000C), ref: 6C82FD32
                                                                                                                                                                                  • _wcslen.LIBCMT(?), ref: 6C830B8B
                                                                                                                                                                                  • _errno.MSVCR100(00000000,00000000,00000000), ref: 6C830BAE
                                                                                                                                                                                  • _wcslen.LIBCMT(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C830C08
                                                                                                                                                                                  • wcscpy_s.MSVCR100(00000000,00000002,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C830C51
                                                                                                                                                                                  • _waccess_s.MSVCR100(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C830C68
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C830C8B
                                                                                                                                                                                  • wcscpy_s.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C830CA5
                                                                                                                                                                                  • free.MSVCR100(?), ref: 6C830CE1
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C8510C4
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C8510CE
                                                                                                                                                                                  • _wfullpath.MSVCR100(?,?,?), ref: 6C8510E7
                                                                                                                                                                                  • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C85110D
                                                                                                                                                                                  • _wcslen.LIBCMT(?,00000000,00000000,00000000,00000000,00000000), ref: 6C851118
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000002,00000002,?,00000000,00000000,00000000,00000000,00000000), ref: 6C851124
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C85113F
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,00000000,00000000,00000000), ref: 6C85115A
                                                                                                                                                                                  • _wcslen.LIBCMT(?,?,?,?,00000000,00000000,00000000), ref: 6C85116A
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000002,00000002,?,?,?,?,00000000,00000000,00000000), ref: 6C851176
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C8511AF
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C8511BA
                                                                                                                                                                                  • free.MSVCR100(?), ref: 6C8511CC
                                                                                                                                                                                  • free.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C8511F0
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C8511F6
                                                                                                                                                                                  • free.MSVCR100(?), ref: 6C851209
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$_wcslenfree$_calloc_crt_waccess_swcscpy_s$AttributesFile__invoke_watson_invalid_parameter_noinfo_lock_wdupenv_s_wfullpath
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1320518012-0
                                                                                                                                                                                  • Opcode ID: 94a0c7aeeee70081e81e4cb7f2db965ea194ef5e73a3b24c900108d520b82b13
                                                                                                                                                                                  • Instruction ID: 446a29de38f8c571a8cc33eb5661a949f56305b552da914b0189350d00dccef4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 94a0c7aeeee70081e81e4cb7f2db965ea194ef5e73a3b24c900108d520b82b13
                                                                                                                                                                                  • Instruction Fuzzy Hash: 46919E709802689EDB709F68DE88BD9B7B4AF05308F5019E5D408E7A50EB74CED58FD1
                                                                                                                                                                                  Function 6C8326C3 Relevance: 34.7, APIs: 23, Instructions: 213COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcsnlen.MSVCR100(?,00007FFF,?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C8326ED
                                                                                                                                                                                  • wcsnlen.MSVCR100(?,00007FFF,?,00007FFF,?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C8326F8
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000002,00000002), ref: 6C832717
                                                                                                                                                                                  • wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6C83272E
                                                                                                                                                                                  • wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6C83274B
                                                                                                                                                                                    • Part of subcall function 6C83248A: wcschr.MSVCR100(00000000,0000003D,7622DF80,00000000,029618B0), ref: 6C8324B5
                                                                                                                                                                                    • Part of subcall function 6C83248A: free.MSVCR100(?,7622DF80,00000000,029618B0), ref: 6C832528
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C832789
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C8327A5
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000000,00000001), ref: 6C8327B2
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C8327CB
                                                                                                                                                                                  • _strlen.LIBCMT(00000000), ref: 6C8327DD
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C8327FB
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C832820
                                                                                                                                                                                  • _errno.MSVCR100(?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C850FD6
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C850FE1
                                                                                                                                                                                  • wcschr.MSVCR100(?,0000003D,?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C850FF1
                                                                                                                                                                                  • wcsnlen.MSVCR100(-00000002,00007FFF,?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C851015
                                                                                                                                                                                  • _wcslen.LIBCMT(?,?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C851021
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000001,00000002,?,?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C85102C
                                                                                                                                                                                  • wcscpy_s.MSVCR100(00000000,00000001,?), ref: 6C851042
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C85104F
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C85105A
                                                                                                                                                                                  • free.MSVCR100(00000000), ref: 6C851075
                                                                                                                                                                                  • free.MSVCR100(?), ref: 6C851097
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$_calloc_crt_errnofreewcscpy_swcsnlen$_invalid_parameter_noinfowcschr$_strlen_wcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 928254730-0
                                                                                                                                                                                  • Opcode ID: fa738556872a753f78f9d9d5823e3c33f74fdb0288207020165e5a17839985f0
                                                                                                                                                                                  • Instruction ID: b127039247bf3478b631e6c58798528d08d6bbf22cd3f6ecc19843194c10d425
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa738556872a753f78f9d9d5823e3c33f74fdb0288207020165e5a17839985f0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D51D671905238BACB315EA88E8CDDF3A6CDF46778F205D25F41896A81EB7DC580D6E0
                                                                                                                                                                                  Function 6C89CFB3 Relevance: 34.7, APIs: 23, Instructions: 201stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100(?,?,00000007,00000007,?,6C89D1C2,?,00000000,6C89D1E8,0000000C), ref: 6C89CFC8
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,00000007,00000007,?,6C89D1C2,?,00000000,6C89D1E8,0000000C), ref: 6C89CFD3
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _mbschr.MSVCR100(?,0000003D,?,?,?,00000007,00000007,?,6C89D1C2,?,00000000,6C89D1E8,0000000C), ref: 6C89CFE9
                                                                                                                                                                                  • _strnlen.LIBCMT(00000001,00007FFF,?,?,?,00000007,00000007,?,6C89D1C2,?,00000000,6C89D1E8,0000000C), ref: 6C89D004
                                                                                                                                                                                  • _strlen.LIBCMT(?,?,?,?,00000007,00000007,?,6C89D1C2,?,00000000,6C89D1E8,0000000C), ref: 6C89D010
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000001,00000001,?,?,?,?,00000007,00000007,?,6C89D1C2,?,00000000,6C89D1E8,0000000C), ref: 6C89D01B
                                                                                                                                                                                  • strcpy_s.MSVCR100(00000000,00000001,?), ref: 6C89D031
                                                                                                                                                                                  • free.MSVCR100(00000000), ref: 6C89D18E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _calloc_crt_errno_invalid_parameter_invalid_parameter_noinfo_mbschr_strlen_strnlenfreestrcpy_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 698896286-0
                                                                                                                                                                                  • Opcode ID: 7dbe43aa069a209111610a452f903fee12242f1379405c9afa4820daac3cacd1
                                                                                                                                                                                  • Instruction ID: b423053381dd306ad72ad595f36f2ec0898f3db31959e664803bd02838cb20e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7dbe43aa069a209111610a452f903fee12242f1379405c9afa4820daac3cacd1
                                                                                                                                                                                  • Instruction Fuzzy Hash: C151F873404115BBDF315FAC9E84DAE7BB8DF45368F200D3BF51497A80DB358A8586A8
                                                                                                                                                                                  Function 00EE21E0 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 123COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • smatch.LIBMPR(?,install), ref: 00EE21EE
                                                                                                                                                                                  • smatch.LIBMPR(?,uninstall), ref: 00EE2206
                                                                                                                                                                                  • smatch.LIBMPR(?,enable), ref: 00EE221C
                                                                                                                                                                                  • smatch.LIBMPR(?,disable), ref: 00EE2232
                                                                                                                                                                                  • smatch.LIBMPR(?,start), ref: 00EE2248
                                                                                                                                                                                  • smatch.LIBMPR(?,stop), ref: 00EE225E
                                                                                                                                                                                  • smatch.LIBMPR(?,reload), ref: 00EE2274
                                                                                                                                                                                  • smatch.LIBMPR(?,restart), ref: 00EE228A
                                                                                                                                                                                  • smatch.LIBMPR(?,run), ref: 00EE232D
                                                                                                                                                                                    • Part of subcall function 00EE21E0: smatch.LIBMPR(start,install,stop), ref: 00EE22B1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: smatch
                                                                                                                                                                                  • String ID: disable$enable$install$reload$restart$run$start$stop$uninstall
                                                                                                                                                                                  • API String ID: 2148396244-3850419480
                                                                                                                                                                                  • Opcode ID: ba316d07ccd78ebbda44014616f825b99d44a6bd255278770d1b5c822821d187
                                                                                                                                                                                  • Instruction ID: 0d7a5360e7f1e54000f893c1a209ab72323c2fc00b4ec5dc65c7a50d414bc695
                                                                                                                                                                                  • Opcode Fuzzy Hash: ba316d07ccd78ebbda44014616f825b99d44a6bd255278770d1b5c822821d187
                                                                                                                                                                                  • Instruction Fuzzy Hash: 20215396E823EC179C113AA73C03BDA13C80E6676BF083496FD0877283B796575D51A6
                                                                                                                                                                                  Function 6C87254F Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C872567
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C872572
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C872597
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C8725A2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                                                                                                  • String ID: PATH
                                                                                                                                                                                  • API String ID: 1328987296-1036084923
                                                                                                                                                                                  • Opcode ID: c78d644c47a2d7752797ae24c76f68ef4dab5549ec75c9b545e45eca86e3949f
                                                                                                                                                                                  • Instruction ID: f5d79bb47430abb822ed0c0a04ecf0b2ca641090d6969fd185be5b51396b36bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: c78d644c47a2d7752797ae24c76f68ef4dab5549ec75c9b545e45eca86e3949f
                                                                                                                                                                                  • Instruction Fuzzy Hash: F131B871900644EEDB319F6D8F889DD3B74AF43368F204E65E42097A90FB7D89848AB1
                                                                                                                                                                                  Function 6C83248A Relevance: 30.2, APIs: 20, Instructions: 229COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcschr.MSVCR100(00000000,0000003D,7622DF80,00000000,029618B0), ref: 6C8324B5
                                                                                                                                                                                  • free.MSVCR100(?,7622DF80,00000000,029618B0), ref: 6C832528
                                                                                                                                                                                  • _errno.MSVCR100(7622DF80,00000000,029618B0), ref: 6C8373F0
                                                                                                                                                                                  • _errno.MSVCR100(029618B0), ref: 6C851473
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(029618B0), ref: 6C85147E
                                                                                                                                                                                  • ___mbtow_environ.LIBCMT ref: 6C8514B0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$___mbtow_environ_invalid_parameter_noinfofreewcschr
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3080074160-0
                                                                                                                                                                                  • Opcode ID: 0afa05a8fd68ceb1f37b48c8f37d292e7628a028afcf74ee1121898431cf7ee1
                                                                                                                                                                                  • Instruction ID: bbe82275bd534476bb815590612f74e1cdd3327201c52c3ee470f79a53890b07
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0afa05a8fd68ceb1f37b48c8f37d292e7628a028afcf74ee1121898431cf7ee1
                                                                                                                                                                                  • Instruction Fuzzy Hash: F171F971601124EFCB318FA8CB845DD77B0EB06B1CB602D39D4168BA80E775DA91CBD0
                                                                                                                                                                                  Function 6C832614 Relevance: 30.2, APIs: 20, Instructions: 218COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _mbschr.MSVCR100(00000000,0000003D,00000000,00000000,7622DFF0), ref: 6C83263B
                                                                                                                                                                                    • Part of subcall function 6C8325FD: _mbschr_l.MSVCR100(00000000,00000000,00000000,?,6C832640,00000000,0000003D,00000000,00000000,7622DFF0), ref: 6C83260A
                                                                                                                                                                                  • free.MSVCR100(00000000,00000000,00000000,7622DFF0), ref: 6C8326A2
                                                                                                                                                                                  • _errno.MSVCR100(00000000,00000000,7622DFF0), ref: 6C8326B4
                                                                                                                                                                                  • _errno.MSVCR100(7622DFF0), ref: 6C851B83
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(7622DFF0), ref: 6C851B8E
                                                                                                                                                                                  • ___wtomb_environ.LIBCMT ref: 6C851BB7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$___wtomb_environ_invalid_parameter_noinfo_mbschr_mbschr_lfree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 679965329-0
                                                                                                                                                                                  • Opcode ID: ebdfa2a7bb42791107ea19d6147cc4dd53e5f8b2a808de610c3d1ee9634e2028
                                                                                                                                                                                  • Instruction ID: 3d6aeac2288318d82f3bf8b15b7d22b5323c5cc26eebde73f5eacd96bb488298
                                                                                                                                                                                  • Opcode Fuzzy Hash: ebdfa2a7bb42791107ea19d6147cc4dd53e5f8b2a808de610c3d1ee9634e2028
                                                                                                                                                                                  • Instruction Fuzzy Hash: C361E3B2A04115EFCF349FA8CAC44DD77B0AF02318B611D39D528ABA51E7759E91CBC1
                                                                                                                                                                                  Function 6C8368DC Relevance: 28.8, APIs: 19, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _memset.LIBCMT(?,000000FF,00000024), ref: 6C836905
                                                                                                                                                                                  • _get_daylight.MSVCR100(?), ref: 6C836941
                                                                                                                                                                                  • _get_dstbias.MSVCR100(?), ref: 6C836953
                                                                                                                                                                                  • _get_timezone.MSVCR100(?), ref: 6C836965
                                                                                                                                                                                  • _gmtime64_s.MSVCR100(?,?), ref: 6C836999
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C8369BF
                                                                                                                                                                                  • _gmtime64_s.MSVCR100(?,?), ref: 6C8369CB
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C849DE1
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C849DEB
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C849DF7
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C849E01
                                                                                                                                                                                  • _gmtime64_s.MSVCR100(?,?), ref: 6C849E3A
                                                                                                                                                                                  • __allrem.LIBCMT ref: 6C849EA5
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C849EC1
                                                                                                                                                                                  • __allrem.LIBCMT ref: 6C849ED8
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C849EF6
                                                                                                                                                                                  • __allrem.LIBCMT ref: 6C849F0D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __allrem_errno_gmtime64_s$Unothrow_t@std@@@__ehfuncinfo$??2@_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezone_memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3568092448-0
                                                                                                                                                                                  • Opcode ID: 2410b5a76dea4bebb5b0e4da6521188fea6587f60a2b6088ff022e89c0ac0746
                                                                                                                                                                                  • Instruction ID: 683d25d5d38338fe90daa6ae25ab2bb94980021b0ed30490d1568bc91f976203
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2410b5a76dea4bebb5b0e4da6521188fea6587f60a2b6088ff022e89c0ac0746
                                                                                                                                                                                  • Instruction Fuzzy Hash: B081C7716417299BD7349BACCB80B9E73E9AF85328F149D3AE818D7F80E774E9044790
                                                                                                                                                                                  Function 6C86A890 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 188threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6C86035A: TlsGetValue.KERNEL32(6C856185), ref: 6C86036C
                                                                                                                                                                                  • TlsGetValue.KERNEL32 ref: 6C86A8C1
                                                                                                                                                                                  • DebugBreak.KERNEL32 ref: 6C86A8CB
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 6C86A903
                                                                                                                                                                                  • swprintf.LIBCMT(?,00000400,[%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d),00000000), ref: 6C86A933
                                                                                                                                                                                  • _fwprintf.LIBCMT(?), ref: 6C86A975
                                                                                                                                                                                  • fflush.MSVCR100(?), ref: 6C86A980
                                                                                                                                                                                  • OutputDebugStringW.KERNEL32(?), ref: 6C86A98F
                                                                                                                                                                                  • DebugBreak.KERNEL32 ref: 6C86A995
                                                                                                                                                                                  • exit.MSVCR100(000000F8), ref: 6C86A99D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • [%d] %S: !!!!!!!Assert Failed(%S: %d), xrefs: 6C86A949
                                                                                                                                                                                  • [%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d), xrefs: 6C86A9A8, 6C86A922
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Debug$BreakValue$CurrentOutputStringThread_fwprintfexitfflushswprintf
                                                                                                                                                                                  • String ID: [%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d)$[%d] %S: !!!!!!!Assert Failed(%S: %d)
                                                                                                                                                                                  • API String ID: 1172176910-813932914
                                                                                                                                                                                  • Opcode ID: a89bf29d961277592593664b9f2538226835db92220a4d9ac108dac88fc616fb
                                                                                                                                                                                  • Instruction ID: f0a7d532d3deefc2acb048c7a6cb8993e0d0d5979e7c7e6f043d7cf892d76cf7
                                                                                                                                                                                  • Opcode Fuzzy Hash: a89bf29d961277592593664b9f2538226835db92220a4d9ac108dac88fc616fb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C513D729083D49FCB22CBB48D18A997FB4BF56204B0889EFD482C7592D738D949CB91
                                                                                                                                                                                  Function 00EE20E3 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 89synchronizationthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • mprGetMpr.LIBMPR ref: 00EE20F1
                                                                                                                                                                                  • mprLogProc.LIBMPR(00000001,Watching over %s,?), ref: 00EE210C
                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00EE2123
                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00EE2136
                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00002040,00000000,00000000,?), ref: 00EE2161
                                                                                                                                                                                  • mprError.LIBMPR(Cannot create service thread), ref: 00EE2179
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00EE218C
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00EE21A2
                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00EE21B4
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00EE21C4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Watching over %s, xrefs: 00EE2105
                                                                                                                                                                                  • Cannot create service thread, xrefs: 00EE2174
                                                                                                                                                                                  • Cannot create wait events, xrefs: 00EE21CB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateEvent$CloseHandle$ErrorObjectProcSingleThreadWait
                                                                                                                                                                                  • String ID: Cannot create service thread$Cannot create wait events$Watching over %s
                                                                                                                                                                                  • API String ID: 4028622517-1174098061
                                                                                                                                                                                  • Opcode ID: 098869d21f9050d5e38f1fc152f1ea5b3b7de8ef37f72079cff07027ce6e7809
                                                                                                                                                                                  • Instruction ID: 25da591b394096223c67dee20527895afd77cf0758922b09f15fa43db9739858
                                                                                                                                                                                  • Opcode Fuzzy Hash: 098869d21f9050d5e38f1fc152f1ea5b3b7de8ef37f72079cff07027ce6e7809
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5621D872680358AFD224EF66EC86F453364A714761F204059F705BF2D1D7B1E98CCB51
                                                                                                                                                                                  Function 6C822891 Relevance: 24.2, APIs: 16, Instructions: 165COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fileno$__fassignisleadbyte
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3459433188-0
                                                                                                                                                                                  • Opcode ID: daca717d54b05e2d7b486ca488ea27b347d83a1ffcc41aa711e3b7231a9d8bcf
                                                                                                                                                                                  • Instruction ID: 969963a3629368f6d3373d41580189d1a4f02e7aae451acdff4ace4385e399ac
                                                                                                                                                                                  • Opcode Fuzzy Hash: daca717d54b05e2d7b486ca488ea27b347d83a1ffcc41aa711e3b7231a9d8bcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 095139710055699DC3364B6CDB0C5AA3BA49F033387344E2EE4A49BAC2DB2CDA86C7D4
                                                                                                                                                                                  Function 6C82A428 Relevance: 22.6, APIs: 15, Instructions: 116COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • free.MSVCR100(?,6C829233,-0000006C,?,?,6C82A4AB,-0000006C,-0000006C,?,?,6C824ECC,-0000006C), ref: 6C82A48E
                                                                                                                                                                                  • free.MSVCR100(?,6C829233,-0000006C,?,?,6C82A4AB,-0000006C,-0000006C,?,?,6C824ECC,-0000006C), ref: 6C836E9C
                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 6C836EA7
                                                                                                                                                                                  • free.MSVCR100(?,6C829233,-0000006C,?,?,6C82A4AB,-0000006C,-0000006C,?,?,6C824ECC,-0000006C), ref: 6C836EBD
                                                                                                                                                                                  • ___free_lconv_num.LIBCMT ref: 6C836EC8
                                                                                                                                                                                  • free.MSVCR100(?,6C829233,-0000006C,?,?,6C82A4AB,-0000006C,-0000006C,?,?,6C824ECC,-0000006C), ref: 6C836ED5
                                                                                                                                                                                  • free.MSVCR100(?,?,6C829233,-0000006C,?,?,6C82A4AB,-0000006C,-0000006C,?,?,6C824ECC,-0000006C), ref: 6C836EE0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$___free_lconv_mon___free_lconv_num
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2838340673-0
                                                                                                                                                                                  • Opcode ID: 97012c9680514cd90964dee2e4cca09fd4317880d0042d8b0721c484b4fd3930
                                                                                                                                                                                  • Instruction ID: cbd7864f68188835e81ef5190120729450f45e9d4014ce7a493a568eb9bdccb9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 97012c9680514cd90964dee2e4cca09fd4317880d0042d8b0721c484b4fd3930
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A315F71504245DFDB305F69DF8CAC773A6AF01318F200D3AE1598BA60DB38E8C88691
                                                                                                                                                                                  Function 6C89ECDB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 185stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6C820698: GetLastError.KERNEL32(6C813238,?,6C8207BA,6C8B7F62), ref: 6C82069C
                                                                                                                                                                                    • Part of subcall function 6C820698: __set_flsgetvalue.MSVCR100 ref: 6C8206AA
                                                                                                                                                                                    • Part of subcall function 6C820698: SetLastError.KERNEL32(00000000), ref: 6C8206BC
                                                                                                                                                                                  • strcpy_s.MSVCR100(?,00000086,00000000,?), ref: 6C89ED2A
                                                                                                                                                                                  • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C89ED3F
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,6C89DA01,00000000,?,00000000), ref: 6C89ED96
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,6C89DA01,00000000,?,00000000), ref: 6C89EDA0
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000086,00000001), ref: 6C89ED04
                                                                                                                                                                                    • Part of subcall function 6C89C1AC: __sys_nerr.MSVCR100(?,?,6C89C264,00000000), ref: 6C89C1B9
                                                                                                                                                                                    • Part of subcall function 6C89C1AC: __sys_nerr.MSVCR100(?,?,6C89C264,00000000), ref: 6C89C1C2
                                                                                                                                                                                    • Part of subcall function 6C89C1AC: __sys_errlist.MSVCR100(?,?,6C89C264,00000000), ref: 6C89C1C9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast__sys_nerr$__invoke_watson__set_flsgetvalue__sys_errlist_calloc_crt_errno_invalid_parameter_noinfostrcpy_s
                                                                                                                                                                                  • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                                                                                                                                  • API String ID: 95875612-798102604
                                                                                                                                                                                  • Opcode ID: f91fe21701c01a61789088f641a54af0b32dbfd9e39a2cf2c096091c809b5a7c
                                                                                                                                                                                  • Instruction ID: 621c85c4ea45ca1c1673ce3ba5c8a70b1e021a1c103e31b2cf8374d9c2cbc2fc
                                                                                                                                                                                  • Opcode Fuzzy Hash: f91fe21701c01a61789088f641a54af0b32dbfd9e39a2cf2c096091c809b5a7c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 37414471606224BBDB319B6D8F888EF7F78FF06769B240D79F40496A61D721DA4083E4
                                                                                                                                                                                  Function 6C820D61 Relevance: 21.2, APIs: 14, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fileno$__cftof
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 813615167-0
                                                                                                                                                                                  • Opcode ID: b42915f75e492d850b61a343e0c4d04cbd177c9871af9538b3491b086b6c7d86
                                                                                                                                                                                  • Instruction ID: d9de6248fe870b28cc9929ba0b04b73fee2fb7e5d1e73bb63f1d94d39f9028cd
                                                                                                                                                                                  • Opcode Fuzzy Hash: b42915f75e492d850b61a343e0c4d04cbd177c9871af9538b3491b086b6c7d86
                                                                                                                                                                                  • Instruction Fuzzy Hash: 974119321026659AC3354BACDF445DE37649F067293202F29E474AFAD0DB3CDA87C6D0
                                                                                                                                                                                  Function 6C834F02 Relevance: 19.6, APIs: 13, Instructions: 147stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _strnlen.LIBCMT(?,?,?,?,?,?,?,?), ref: 6C834F26
                                                                                                                                                                                  • __crtLCMapStringA.MSVCR100(?,?,00000100,?,000000FF,00000000,00000000,?,00000001,?,?,?,?,?,?), ref: 6C834F5A
                                                                                                                                                                                  • __crtLCMapStringA.MSVCR100(?,?,00000100,?,000000FF,00000000,00000000,?,00000001), ref: 6C834FD5
                                                                                                                                                                                  • strcpy_s.MSVCR100(?,?,00000000), ref: 6C834FEC
                                                                                                                                                                                  • _freea_s.MSVCR100(00000000), ref: 6C834FF9
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?), ref: 6C84C372
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?), ref: 6C84C37C
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C84C3AD
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C84C3B8
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C84C3C7
                                                                                                                                                                                  • malloc.MSVCR100(00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C84C3D1
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,?,?,?,?), ref: 6C84C3EA
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C84C3F7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$String__crt$_freea_s_invalid_parameter_noinfo_strnlenmallocstrcpy_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2430913482-0
                                                                                                                                                                                  • Opcode ID: 355c0b3d7a68555f3d038c3f150bd7c996f35f7d83c9e58ba6c4f42a4264ab02
                                                                                                                                                                                  • Instruction ID: 44faaef94c631fc19269a55298e6ee39dfc82cad3e07487bb4d4c82b712d287c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 355c0b3d7a68555f3d038c3f150bd7c996f35f7d83c9e58ba6c4f42a4264ab02
                                                                                                                                                                                  • Instruction Fuzzy Hash: C4415B71605208EFEB315BA8CE44BDA3FA5EF82318F108869E4149BB91D73685848BE1
                                                                                                                                                                                  Function 6C82CCC4 Relevance: 19.6, APIs: 13, Instructions: 145COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcsnlen.MSVCR100(?,?,?,?,?,?,?,?,6C82CD55,?,?,?), ref: 6C82CCE8
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,6C82CD55,?,?,?), ref: 6C84C84E
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6C82CD55,?,?,?), ref: 6C84C858
                                                                                                                                                                                  • ___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,?,?,?,?,6C82CD55,?,?,?), ref: 6C84C875
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C82CD55,?,?,?), ref: 6C84C886
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C82CD55,?,?,?), ref: 6C84C891
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C82CD55,?,?,?), ref: 6C84C8A7
                                                                                                                                                                                  • malloc.MSVCR100(00000008,?,?,6C82CD55,?,?,?), ref: 6C84C8DF
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C82CD55,?,?,?), ref: 6C84C8FB
                                                                                                                                                                                  • ___crtLCMapStringW.LIBCMT(?,00000200,?,000000FF,00000000,00000000,?,?,6C82CD55,?,?,?), ref: 6C84C916
                                                                                                                                                                                  • wcscpy_s.MSVCR100(?,?,00000000,?,?,?,?,?,?,?,?,6C82CD55,?,?,?), ref: 6C84C927
                                                                                                                                                                                  • _freea_s.MSVCR100(00000000,?,?,?,?,?,?,?,?,6C82CD55,?,?,?), ref: 6C84C940
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$String___crt$_freea_s_invalid_parameter_noinfomallocwcscpy_swcsnlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4082481270-0
                                                                                                                                                                                  • Opcode ID: aeafb151ba2693e2229e8ee0d91a691c7af866f1a79f0496aa6bb4f376a50e31
                                                                                                                                                                                  • Instruction ID: 7243644382bb0285aaee9d83715d7822868d590f84b6df2c6f9fc6c39b961d75
                                                                                                                                                                                  • Opcode Fuzzy Hash: aeafb151ba2693e2229e8ee0d91a691c7af866f1a79f0496aa6bb4f376a50e31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 18410C71604228AFE7346F6CCE84DBA37A8DF46318B104D3AE415DBB91E774CD8887A1
                                                                                                                                                                                  Function 6C8249C8 Relevance: 19.6, APIs: 13, Instructions: 140stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _malloc_crt.MSVCR100(00000355,00000000,6C824E81,00000001,00000000,00000000), ref: 6C8249DC
                                                                                                                                                                                    • Part of subcall function 6C820CD9: malloc.MSVCR100(00000001,00000001,00000001,?,6C82AB90,00000018,6C82AA18,0000000C,6C8474F7,00000001,00000001,?,6C8221A9,0000000D), ref: 6C820CE5
                                                                                                                                                                                    • Part of subcall function 6C82498E: strcat_s.MSVCR100(6C825C30,6C825C0F,6C825C20,?,00000083,00000083,?,6C825C24,6C825C0F,6C825C30,00000002,6C825C30,6C825C0F,?,00000000,00000000), ref: 6C8249AD
                                                                                                                                                                                  • strcat_s.MSVCR100(00000004,00000351,6C82498C,?,?,?,?,?,00000000,6C824E81,00000001,00000000), ref: 6C824A29
                                                                                                                                                                                  • strcmp.MSVCR100(00000000,00000010,?,?,?,?,?,?,?,?,00000000,6C824E81,00000001,00000000), ref: 6C824A46
                                                                                                                                                                                  • free.MSVCR100(6C824E81,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C824A8D
                                                                                                                                                                                  • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C824E81,00000001), ref: 6C850BD9
                                                                                                                                                                                  • free.MSVCR100(?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C824E81), ref: 6C850BE1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: freestrcat_s$__invoke_watson_malloc_crtmallocstrcmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1358975119-0
                                                                                                                                                                                  • Opcode ID: 6deb17e854a1d79f8e1ba13453f85b4a870273f3a55a8dbdf53837667e32d6ca
                                                                                                                                                                                  • Instruction ID: ca8ffdbcbfa7687c240d53c95b1d5d53982472d6434b9d728febf2e73493d081
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6deb17e854a1d79f8e1ba13453f85b4a870273f3a55a8dbdf53837667e32d6ca
                                                                                                                                                                                  • Instruction Fuzzy Hash: C2418171904705EFDB30DFA9DE88A5AB7F8AF8030CB100C79D441ABA60D779E9949B90
                                                                                                                                                                                  Function 6C822423 Relevance: 19.6, APIs: 13, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _lock.MSVCR100(0000000D,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C822497
                                                                                                                                                                                    • Part of subcall function 6C820C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C8221A9,0000000D), ref: 6C820C5E
                                                                                                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 6C8224A9
                                                                                                                                                                                  • _lock.MSVCR100(0000000C,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C8224C5
                                                                                                                                                                                  • free.MSVCR100(00000000,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C8224F9
                                                                                                                                                                                  • free.MSVCR100(00000000), ref: 6C847615
                                                                                                                                                                                  • free.MSVCR100(?,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C847621
                                                                                                                                                                                  • free.MSVCR100(?,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C84762D
                                                                                                                                                                                  • free.MSVCR100(?,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C847639
                                                                                                                                                                                  • free.MSVCR100(?,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C847645
                                                                                                                                                                                  • free.MSVCR100(?,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C847651
                                                                                                                                                                                  • free.MSVCR100(?,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C84765D
                                                                                                                                                                                  • free.MSVCR100(?,6C822508,00000008,6C822592,00000000,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C847669
                                                                                                                                                                                  • free.MSVCR100(?,?,6C8225B6,00000000,6C8220E0,00000008,6C822116,00000001,?), ref: 6C847675
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$_lock$CriticalDecrementEnterInterlockedSection
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3254847666-0
                                                                                                                                                                                  • Opcode ID: 308a142f8e2ab188c9fb7af34c51a7dcabdcb8217197c46f8aedf25c7b2bc889
                                                                                                                                                                                  • Instruction ID: 567302c677862ff3d76a2e75966187e19705630a96b412bc90dc3e52a9703b3c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 308a142f8e2ab188c9fb7af34c51a7dcabdcb8217197c46f8aedf25c7b2bc889
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A31C1F1625645DAD7309A7D9B5CB8B33A86F01B3DB208D2DD4559BE80EB3CE9C482D0
                                                                                                                                                                                  Function 6C8329FE Relevance: 19.6, APIs: 13, Instructions: 93COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFullPathNameA.KERNEL32(?,?,00000000,?), ref: 6C832A42
                                                                                                                                                                                  • GetFullPathNameA.KERNEL32(?,00000000,00000000,00000000), ref: 6C847A58
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C847A5E
                                                                                                                                                                                  • __dosmaperr.LIBCMT(00000000), ref: 6C847A65
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C847A7F
                                                                                                                                                                                  • calloc.MSVCR100(?,00000001), ref: 6C847A94
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C847AA5
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C847AB2
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C847ABD
                                                                                                                                                                                  • free.MSVCR100(00000000), ref: 6C847ACB
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C847AD1
                                                                                                                                                                                  • free.MSVCR100(00000000), ref: 6C847AE8
                                                                                                                                                                                  • _getcwd.MSVCR100(?,?), ref: 6C847AF9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$FullNamePathfree$ErrorLast__dosmaperr_getcwd_invalid_parameter_noinfocalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4002649621-0
                                                                                                                                                                                  • Opcode ID: f8ac68974c0f56d4c3400493968abda5c5e9058f70fc5e7cea50e2fe7aee69b2
                                                                                                                                                                                  • Instruction ID: c17e7374ab520d8624258aefb46dab2d029c14378bcf7516ff25d7ac3ea39395
                                                                                                                                                                                  • Opcode Fuzzy Hash: f8ac68974c0f56d4c3400493968abda5c5e9058f70fc5e7cea50e2fe7aee69b2
                                                                                                                                                                                  • Instruction Fuzzy Hash: A721BC7150824DAFDB30DEA8DE8499E379AEB4135CF258C35F500CB980EB758985CBE0
                                                                                                                                                                                  Function 6C82EA8B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 245COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __aulldvrm__forcdecpt_l_get_printf_count_output_strlenfree
                                                                                                                                                                                  • String ID: @$@$g
                                                                                                                                                                                  • API String ID: 1547650701-3810856864
                                                                                                                                                                                  • Opcode ID: 87d4480817ec5681d33d6d2a56943ba78db7b62e6a15073e281f7fddbca0f511
                                                                                                                                                                                  • Instruction ID: 301ae6bd60179bd1c1c5bd6bb110f310292393e76f0137e749f9df52c48d120a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 87d4480817ec5681d33d6d2a56943ba78db7b62e6a15073e281f7fddbca0f511
                                                                                                                                                                                  • Instruction Fuzzy Hash: ECA1987180522D8FDB30CE68CE8C7D9BBB4AB5431AF1409E9D809A6691D7784EC4CFD8
                                                                                                                                                                                  Function 6C86085E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 6C860891
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 6C860897
                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000), ref: 6C86089A
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C8608A4
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C8608BC
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(6C8538B0,6C8BFE78,?), ref: 6C8608CA
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(0000000C,6C8538B0,6C8BFE78,?), ref: 6C8608D1
                                                                                                                                                                                  • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(6C8538B0,6C8BFE78,?), ref: 6C8608E4
                                                                                                                                                                                  • std::exception::exception.LIBCMT(?), ref: 6C860936
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentProcess$??2@AcquireConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorConcurrency@@DuplicateErrorExceptionHandleLastLock@details@ReaderThrowWrite@_Writerstd::exception::exception
                                                                                                                                                                                  • String ID: eventObject
                                                                                                                                                                                  • API String ID: 1946344800-1680012138
                                                                                                                                                                                  • Opcode ID: 8e75f7487ef47d274c93d09bf4535c6b262e3f84a991d9171e7733c48a21e800
                                                                                                                                                                                  • Instruction ID: 294590cff5e789c7f8e915f30da8990f09dd30e7518ba2c6fae2a3b68c21378d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e75f7487ef47d274c93d09bf4535c6b262e3f84a991d9171e7733c48a21e800
                                                                                                                                                                                  • Instruction Fuzzy Hash: CD31AE71A00219EFDB60CFA9CA80A9ABBF8FF08314B10492AE415D7F40D770E914CB94
                                                                                                                                                                                  Function 6C87EEFD Relevance: 16.7, APIs: 11, Instructions: 202COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C87EF31
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C87EF3B
                                                                                                                                                                                  • _strnset_s.MSVCR100(?,?,?,?,?), ref: 6C87EF64
                                                                                                                                                                                  • _ismbblead_l.MSVCR100(?,?,?), ref: 6C87EFA2
                                                                                                                                                                                  • _ismbblead_l.MSVCR100(?,?,?), ref: 6C87EFCE
                                                                                                                                                                                  • _errno.MSVCR100(?), ref: 6C87EFDF
                                                                                                                                                                                  • _ismbblead_l.MSVCR100(?,?,?), ref: 6C87F019
                                                                                                                                                                                  • _ismbblead_l.MSVCR100(?,?,?), ref: 6C87F040
                                                                                                                                                                                  • _ismbblead_l.MSVCR100(?,?,?), ref: 6C87F083
                                                                                                                                                                                  • _errno.MSVCR100(?), ref: 6C87F0DA
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?), ref: 6C87F0E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _ismbblead_l$_errno$_invalid_parameter_noinfo$_strnset_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1238685693-0
                                                                                                                                                                                  • Opcode ID: 421a414c3ae32e375dffa22e7d882b48edd7b5514ee3e6200670e55ec628b16d
                                                                                                                                                                                  • Instruction ID: 03ecc0ae9f87d7700020424c6a97a22800035c9527c8c8c01b2db7ca2d929a71
                                                                                                                                                                                  • Opcode Fuzzy Hash: 421a414c3ae32e375dffa22e7d882b48edd7b5514ee3e6200670e55ec628b16d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0171A37180928ADFCF31CFA9D6545EDBBB4AF15308F1448AFE8A066A41F3358585CBB1
                                                                                                                                                                                  Function 6C86245A Relevance: 16.7, APIs: 11, Instructions: 153threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C862461
                                                                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6C85D96F,00000000,?,00000000,00000000), ref: 6C86248C
                                                                                                                                                                                  • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6C8624E7
                                                                                                                                                                                    • Part of subcall function 6C86214D: std::exception::exception.LIBCMT(6C861FE2,?,6C861FE2,00000001), ref: 6C86216C
                                                                                                                                                                                    • Part of subcall function 6C86214D: _CxxThrowException.MSVCR100(?,6C8C0018,6C861FE2), ref: 6C862181
                                                                                                                                                                                  • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6C8624F6
                                                                                                                                                                                  • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6C862505
                                                                                                                                                                                  • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C862514
                                                                                                                                                                                  • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C862523
                                                                                                                                                                                  • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C862532
                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 6C862550
                                                                                                                                                                                  • GetThreadPriority.KERNEL32(00000000), ref: 6C862557
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(00000838), ref: 6C862658
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@$Thread$??2@CountCriticalCurrentExceptionH_prolog3InitializePrioritySectionSpinThrowstd::exception::exception
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 138514572-0
                                                                                                                                                                                  • Opcode ID: f379ca97f0be2616b4c00973d2f9ff8a37624417aee996a5d07c4f5902efe141
                                                                                                                                                                                  • Instruction ID: c71641a242fbfde83781127b3aa3525677b6b582281ce8554419eeb5ea17a8b5
                                                                                                                                                                                  • Opcode Fuzzy Hash: f379ca97f0be2616b4c00973d2f9ff8a37624417aee996a5d07c4f5902efe141
                                                                                                                                                                                  • Instruction Fuzzy Hash: FF611770B00A42EFD758CF3AC589B99FBA1BF49304F40866ED52DC7B41DB75A4248B80
                                                                                                                                                                                  Function 6C82AC1E Relevance: 16.6, APIs: 11, Instructions: 119COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _getptd.MSVCR100(6C82AC68,00000014,6C82B231,000000FD,6C82B281), ref: 6C82AC2E
                                                                                                                                                                                    • Part of subcall function 6C82AC84: _getptd.MSVCR100(6C82ACE0,0000000C,6C82D0AA,?,?,6C829233,?), ref: 6C82AC90
                                                                                                                                                                                    • Part of subcall function 6C82AC84: _lock.MSVCR100(0000000D), ref: 6C82ACA7
                                                                                                                                                                                  • _malloc_crt.MSVCR100(00000220,6C82AC68,00000014,6C82B231,000000FD,6C82B281), ref: 6C82B81E
                                                                                                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 6C82B859
                                                                                                                                                                                  • InterlockedIncrement.KERNEL32(00000000), ref: 6C82B87B
                                                                                                                                                                                  • _lock.MSVCR100(0000000D), ref: 6C82B896
                                                                                                                                                                                  • InterlockedDecrement.KERNEL32 ref: 6C82B90D
                                                                                                                                                                                  • InterlockedIncrement.KERNEL32(00000000), ref: 6C82B922
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Interlocked$DecrementIncrement_getptd_lock$_malloc_crt
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4169461591-0
                                                                                                                                                                                  • Opcode ID: 559d5f1d5fcc9bae547d5da7475f9f2db07fb6e7380f68dfab66bf518e4de0ad
                                                                                                                                                                                  • Instruction ID: e76bb042407d3e8726ae87dbd8a4043fe688a89a4b0bfb7c65394339dd12d706
                                                                                                                                                                                  • Opcode Fuzzy Hash: 559d5f1d5fcc9bae547d5da7475f9f2db07fb6e7380f68dfab66bf518e4de0ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: DA41D0709042889FDB308F78CA986E93BB0AF06318F114D35D8569BA90D73CD8C1DBD0
                                                                                                                                                                                  Function 6C86C5FD Relevance: 16.6, APIs: 11, Instructions: 66threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C86C60D
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C86C618
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • __set_flsgetvalue.MSVCR100 ref: 6C86C623
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000001,00000214), ref: 6C86C62F
                                                                                                                                                                                  • _getptd.MSVCR100 ref: 6C86C63C
                                                                                                                                                                                  • _initptd.MSVCR100(00000000,?), ref: 6C86C645
                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,?,6C86C5A4,00000000,00000004,00000000), ref: 6C86C663
                                                                                                                                                                                  • ResumeThread.KERNEL32(00000000), ref: 6C86C673
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C86C67E
                                                                                                                                                                                  • free.MSVCR100(00000000), ref: 6C86C687
                                                                                                                                                                                  • __dosmaperr.LIBCMT(00000000), ref: 6C86C692
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$CreateErrorLastResume__dosmaperr__set_flsgetvalue_calloc_crt_errno_getptd_initptd_invalid_parameter_invalid_parameter_noinfofree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 697002476-0
                                                                                                                                                                                  • Opcode ID: 3138ae655f4cc0cdbacabfb66e7fa64fdd7886828326d36cbd526eec1b31f0cc
                                                                                                                                                                                  • Instruction ID: 06179fe28be9558ef128c63c352eaba863c34fb4b9d40f9e870f04fa1495b3a6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3138ae655f4cc0cdbacabfb66e7fa64fdd7886828326d36cbd526eec1b31f0cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: DF11E7326017416ED7302ABA8E48ACA37A5DF82338B200E29F52486EC1DF75D84486E9
                                                                                                                                                                                  Function 6C832838 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _lock.MSVCR100(00000007,6C8328E8,0000000C), ref: 6C832846
                                                                                                                                                                                    • Part of subcall function 6C820C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C8221A9,0000000D), ref: 6C820C5E
                                                                                                                                                                                  • _wcslen.LIBCMT(00000000,6C8328E8,0000000C), ref: 6C83289D
                                                                                                                                                                                  • wcscpy_s.MSVCR100(?,?,00000000,6C8328E8,0000000C), ref: 6C8328BB
                                                                                                                                                                                  • _errno.MSVCR100(6C8328E8,0000000C), ref: 6C85088D
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(6C8328E8,0000000C), ref: 6C850897
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalEnterSection_errno_invalid_parameter_noinfo_lock_wcslenwcscpy_s
                                                                                                                                                                                  • String ID: "
                                                                                                                                                                                  • API String ID: 173085347-123907689
                                                                                                                                                                                  • Opcode ID: 599d2eb6bb9783af766e3f85704c761026beea970919a998d9192de1005383fd
                                                                                                                                                                                  • Instruction ID: a7bf01e2b31bea55fdff68f0de550d7e716cd65d962ec64316d5ceba4348c565
                                                                                                                                                                                  • Opcode Fuzzy Hash: 599d2eb6bb9783af766e3f85704c761026beea970919a998d9192de1005383fd
                                                                                                                                                                                  • Instruction Fuzzy Hash: F321C1719002BA9BDF306FEC8F885DE77A0AF04318B206C39E928D6E41C77C85959BD1
                                                                                                                                                                                  Function 6C824F99 Relevance: 15.2, APIs: 10, Instructions: 194COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000100,00000001,00000000,?,?,?,?,?,?,?), ref: 6C824FE8
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 6C82504B
                                                                                                                                                                                  • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 6C825067
                                                                                                                                                                                  • LCMapStringW.KERNEL32(?,?,?,?,00000000,?), ref: 6C8250D1
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 6C8250F0
                                                                                                                                                                                  • _freea_s.MSVCR100(00000000), ref: 6C8250FA
                                                                                                                                                                                  • _freea_s.MSVCR100(?), ref: 6C825103
                                                                                                                                                                                  • malloc.MSVCR100(00000008), ref: 6C850D21
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$String_freea_s$malloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1406006131-0
                                                                                                                                                                                  • Opcode ID: a8cf2e4d8e52b24bdac7132091360b4fe6460c2a0ab02b56b84af23a3e39a089
                                                                                                                                                                                  • Instruction ID: 03bc9b05628a32ce8b4d3441be0f0d350fde991882aa9d8666c5f90a0854ff37
                                                                                                                                                                                  • Opcode Fuzzy Hash: a8cf2e4d8e52b24bdac7132091360b4fe6460c2a0ab02b56b84af23a3e39a089
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C51E63294024ABFDF218F94CE888AE7BB6FB89358F604D39F51592914D7398990CBD0
                                                                                                                                                                                  Function 6C860CF5 Relevance: 15.2, APIs: 10, Instructions: 153COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C860CFC
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000010,6C858C33,00000000,?,?,?,?,6C860C55,?,6C860AF2,?,?,?,?,00000000), ref: 6C860D11
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(0000000C), ref: 6C860D51
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(00000120), ref: 6C860DA4
                                                                                                                                                                                  • _memset.LIBCMT(00000000,00000000,00000120), ref: 6C860DB6
                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C860DDB
                                                                                                                                                                                  • _memset.LIBCMT(00000020,00000000,00000100), ref: 6C860DEF
                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 6C860E96
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C860EA3
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6C860EC7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@CriticalEventSection_memset$CloseCreateEnterH_prolog3HandleLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3129499143-0
                                                                                                                                                                                  • Opcode ID: 1045d917b10d2838d7265ef17c7bbea4d23149549ad3c3f7aa541b59bd06e293
                                                                                                                                                                                  • Instruction ID: 6b9318660ae3ec4b7b9eda4b8f8f4bda8ad0fa572092cf56cdd58d561644d7e3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1045d917b10d2838d7265ef17c7bbea4d23149549ad3c3f7aa541b59bd06e293
                                                                                                                                                                                  • Instruction Fuzzy Hash: E1519E70A017469FD724CF69C684B9AB7F4FF09318F008A69E4999BF50D730E944CB98
                                                                                                                                                                                  Function 6C830E33 Relevance: 15.1, APIs: 10, Instructions: 124COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000080,00000000,6C8C35D0,00000001,?,?,00000000,?,?,?,?,6C8C35D0,?), ref: 6C830E8F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 626452242-0
                                                                                                                                                                                  • Opcode ID: b2039e76475453c6106d58221344703a2b44c6f2d636c971e3764634dd5b58c6
                                                                                                                                                                                  • Instruction ID: 4f173e659b56afc81877faf6cf8f12955b7acb4f8ee76efab6f0056ab84b43c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: b2039e76475453c6106d58221344703a2b44c6f2d636c971e3764634dd5b58c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3641F7726052999FDB309F9CCA949DD3BB5EB43318B104979E4648FAD0D7318D808BD1
                                                                                                                                                                                  Function 6C868FD6 Relevance: 15.1, APIs: 10, Instructions: 89COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C868FDD
                                                                                                                                                                                    • Part of subcall function 6C86245A: __EH_prolog3.LIBCMT ref: 6C862461
                                                                                                                                                                                    • Part of subcall function 6C86245A: InitializeCriticalSectionAndSpinCount.KERNEL32(00000020,00000000,6C85D96F,00000000,?,00000000,00000000), ref: 6C86248C
                                                                                                                                                                                    • Part of subcall function 6C86245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000001,?,00000000,00000000), ref: 6C8624E7
                                                                                                                                                                                    • Part of subcall function 6C86245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000002,00000001,?,00000000,00000000), ref: 6C8624F6
                                                                                                                                                                                    • Part of subcall function 6C86245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000003,00000002,00000001,?,00000000,00000000), ref: 6C862505
                                                                                                                                                                                    • Part of subcall function 6C86245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C862514
                                                                                                                                                                                    • Part of subcall function 6C86245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C862523
                                                                                                                                                                                    • Part of subcall function 6C86245A: ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR100(00000008,00000006,00000005,00000003,00000002,00000001,?,00000000,00000000), ref: 6C862532
                                                                                                                                                                                    • Part of subcall function 6C86245A: GetCurrentThread.KERNEL32 ref: 6C862550
                                                                                                                                                                                    • Part of subcall function 6C86245A: GetThreadPriority.KERNEL32(00000000), ref: 6C862557
                                                                                                                                                                                    • Part of subcall function 6C85F2B7: __EH_prolog3.LIBCMT ref: 6C85F2BE
                                                                                                                                                                                    • Part of subcall function 6C85F2B7: EnterCriticalSection.KERNEL32(6C85D93F,00000008,6C869035), ref: 6C85F2D0
                                                                                                                                                                                    • Part of subcall function 6C85F2B7: ??2@YAPAXI@Z.MSVCR100(00000024), ref: 6C85F2E2
                                                                                                                                                                                    • Part of subcall function 6C85F2B7: ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6C85F307
                                                                                                                                                                                    • Part of subcall function 6C85F2B7: LeaveCriticalSection.KERNEL32(?), ref: 6C85F329
                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6C869039
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C869049
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C869061
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000), ref: 6C86906F
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C86908C
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C8690A4
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C8690CE
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C8690E6
                                                                                                                                                                                  • InitializeSListHead.KERNEL32(000000E8), ref: 6C8690FF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCriticalErrorH_prolog3LastSection$??2@InitializeThread$CountCreateCurrentEnterEventExceptionHeadLeaveListPrioritySpinThrow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 7361241-0
                                                                                                                                                                                  • Opcode ID: ba6b5ef313cb7ffe4f9bef45735c60a7b56a4d652e71a47bdae53f0da505e7f6
                                                                                                                                                                                  • Instruction ID: ce889350a6700ebe4bb12fce1ba23459b27e6057392978abfa0b0bb12bef0a36
                                                                                                                                                                                  • Opcode Fuzzy Hash: ba6b5ef313cb7ffe4f9bef45735c60a7b56a4d652e71a47bdae53f0da505e7f6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 34316B755006069FCB30CFA5C984BEEB7B8BF15308F504D39E466E7A40CB78A949CBA1
                                                                                                                                                                                  Function 6C86ABC4 Relevance: 15.1, APIs: 10, Instructions: 80librarythreadCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 6C86ABDB
                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(6C810000,?,00000104), ref: 6C86ABF7
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 6C86AC08
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C86AC1F
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C86AC3A
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000), ref: 6C86AC4B
                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,-00000018,6C860ED5,00010000,?), ref: 6C86AC8D
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C86AC97
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C86ACAF
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000), ref: 6C86ACBD
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastModuleThrow$CreateFileHandleLibraryLoadNameThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 475412-0
                                                                                                                                                                                  • Opcode ID: 848277f9e06a11d2f37d9c7cfc3e5ba2a006610b0e1171bd6c5977c44fc08e38
                                                                                                                                                                                  • Instruction ID: 123ddf8a4fc343b8a054c103176f9f53ce6a897fba2b5122d44b2277d9b20d17
                                                                                                                                                                                  • Opcode Fuzzy Hash: 848277f9e06a11d2f37d9c7cfc3e5ba2a006610b0e1171bd6c5977c44fc08e38
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93219F31600109AFDF34DFA5CE49BEA77B8AF05708F100879E516D6A81DB74DA48DB90
                                                                                                                                                                                  Function 6C822ADB Relevance: 15.1, APIs: 10, Instructions: 70memoryCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapReAlloc.KERNEL32(00000000,00000000,6C8BFC34,00000000,00000000,?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010), ref: 6C822B14
                                                                                                                                                                                  • malloc.MSVCR100(6C8BFC34,?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010,?,?,?,6C82AA57,?), ref: 6C822B90
                                                                                                                                                                                  • free.MSVCR100(00000000,00000000,?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010,?,?,?,6C82AA57), ref: 6C84F367
                                                                                                                                                                                  • _callnewh.MSVCR100(6C8BFC34,?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010,?,?,?,6C82AA57,?), ref: 6C84F383
                                                                                                                                                                                  • _callnewh.MSVCR100(6C8BFC34,00000000,00000000,?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010), ref: 6C84F394
                                                                                                                                                                                  • _errno.MSVCR100(00000000,00000000,?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010,?,?,?,6C82AA57), ref: 6C84F39A
                                                                                                                                                                                  • _errno.MSVCR100(?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010,?,?,?,6C82AA57,?,6C82AA70), ref: 6C84F3AC
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010,?,?,?,6C82AA57,?,6C82AA70), ref: 6C84F3B3
                                                                                                                                                                                  • _errno.MSVCR100(?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010,?,?,?,6C82AA57,?,6C82AA70), ref: 6C84F3C4
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6C822BAC,?,6C8BFC34,00000000,00000000,?,6C85061F,00000000,00000010,?,?,?,6C82AA57,?,6C82AA70), ref: 6C84F3CB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$ErrorLast_callnewh$AllocHeapfreemalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2627451454-0
                                                                                                                                                                                  • Opcode ID: 75ae6e905648caf024b3643747cb2abb450b259ef8a22dc22294d2a5b1cb8aff
                                                                                                                                                                                  • Instruction ID: f131a2c0c57986e31a14c093ad32a486dc36cf54f15228d4aca79ed6845cddc6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 75ae6e905648caf024b3643747cb2abb450b259ef8a22dc22294d2a5b1cb8aff
                                                                                                                                                                                  • Instruction Fuzzy Hash: C611933690161AABCB311F78DA0CA9A36A5AB9236CF108D39E4559BE50DB39C58097D0
                                                                                                                                                                                  Function 6C892E90 Relevance: 13.9, APIs: 9, Instructions: 367COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _W_store_num.LIBCMT ref: 6C89310D
                                                                                                                                                                                  • _W_store_winword.LIBCMT ref: 6C893133
                                                                                                                                                                                  • _W_store_winword.LIBCMT ref: 6C89315E
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,6C8933F1,?,?,00000000,?,?,?,00000000,?,?,?), ref: 6C8931A0
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,6C8933F1,?,?,00000000,?,?,?,00000000,?,?,?), ref: 6C8931AB
                                                                                                                                                                                  • __tzname.MSVCR100(000000FF,?,?,?,?,6C8933F1,?,?,00000000,?,?,?,00000000), ref: 6C893208
                                                                                                                                                                                  • _mbstowcs_s_l.MSVCR100(00000000,?,?,00000000,000000FF,?,?,?,?,6C8933F1,?,?,00000000,?,?,?), ref: 6C893229
                                                                                                                                                                                  • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 6C893254
                                                                                                                                                                                  • _W_store_str.LIBCMT ref: 6C8932F1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: W_store_winword$W_store_numW_store_str__invoke_watson__tzname_errno_invalid_parameter_noinfo_mbstowcs_s_l
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1181387638-0
                                                                                                                                                                                  • Opcode ID: 254e3a18d3e7fb618808ce342fef462dbe13fe0f950fdf14535dd403b941c6b9
                                                                                                                                                                                  • Instruction ID: 16e8bf01b906cc78ca730e9bd203226e1a35979e120225804df80386b1a92caa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 254e3a18d3e7fb618808ce342fef462dbe13fe0f950fdf14535dd403b941c6b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: CEC17DB130120A9FEB348E9CCA85B9A3772FF45349F244929F919C7A74D335EC518B91
                                                                                                                                                                                  Function 6C8369D5 Relevance: 13.7, APIs: 9, Instructions: 226COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _memset.LIBCMT(?,000000FF,00000024,?,?,6C8369D0,?), ref: 6C8369F5
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C836A30
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C836AED
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C836B46
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C836B63
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C836B86
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C8369D0,?), ref: 6C849D32
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,6C8369D0,?), ref: 6C849D3C
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,6C8369D0,?), ref: 6C849D56
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_errno$_invalid_parameter_noinfo_memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1299486453-0
                                                                                                                                                                                  • Opcode ID: c88b2f976ce1c78875e964a327680e0b75a9b285a0a165fecb7bc1ec1a29c40d
                                                                                                                                                                                  • Instruction ID: 6151062f5ac0c34034ddf2bc3b3d659700b73e7add915258104d8cbef2516f63
                                                                                                                                                                                  • Opcode Fuzzy Hash: c88b2f976ce1c78875e964a327680e0b75a9b285a0a165fecb7bc1ec1a29c40d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 88612571A00319AFDB348FACCE40B9977BAFB85329F14CA39F515DBA90D77499048B80
                                                                                                                                                                                  Function 6C82AD86 Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetStartupInfoW.KERNEL32(?), ref: 6C82AD93
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000020,00000040), ref: 6C82AD9F
                                                                                                                                                                                  • GetStdHandle.KERNEL32(-000000F6), ref: 6C82AE36
                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 6C82AE50
                                                                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(-6C8C3734,00000FA0), ref: 6C82AE80
                                                                                                                                                                                  • SetHandleCount.KERNEL32 ref: 6C82AEA1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CountHandle$CriticalFileInfoInitializeSectionSpinStartupType_calloc_crt
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1159209115-0
                                                                                                                                                                                  • Opcode ID: c947c4d28487af0a87abfa100775ac4ad3e9e21ad427e3c1d8edb682e360dfc3
                                                                                                                                                                                  • Instruction ID: 4d3a60d31eb4e07f0ca76c3f6a5b56b9b02d51ad0ed11cdb6c1efe6b75bf03d4
                                                                                                                                                                                  • Opcode Fuzzy Hash: c947c4d28487af0a87abfa100775ac4ad3e9e21ad427e3c1d8edb682e360dfc3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D713371A05305CFD7308B68CA8CA9977F0AF16328F254B68C565DBAD1D738E982CBC5
                                                                                                                                                                                  Function 6C832E42 Relevance: 13.7, APIs: 9, Instructions: 165COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy_s.MSVCR100(?,?,?,?), ref: 6C832EEB
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C848C29
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C848C34
                                                                                                                                                                                  • _memset.LIBCMT(?,00000000,?), ref: 6C848C47
                                                                                                                                                                                  • _fileno.MSVCR100(?,?,?), ref: 6C848CA3
                                                                                                                                                                                  • _read.MSVCR100(00000000,?,?), ref: 6C848CAA
                                                                                                                                                                                  • _memset.LIBCMT(?,00000000,000000FF), ref: 6C848CD4
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C848CDC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_memset$_fileno_invalid_parameter_noinfo_readmemcpy_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4008029522-0
                                                                                                                                                                                  • Opcode ID: a068426ed4a9256c8f7709657f9dc5e33b02665cc90f0d207b602e5e90d0fa0d
                                                                                                                                                                                  • Instruction ID: 7987f693c482d200660cd566caee824159de8ae7b107a9a46993ae423d7e65b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: a068426ed4a9256c8f7709657f9dc5e33b02665cc90f0d207b602e5e90d0fa0d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3851EB3090221DDBCB308FE9CB4869D77B1AF41324F21DE2AD82497AD1D7789A45CBD1
                                                                                                                                                                                  Function 6C82A9DB Relevance: 13.6, APIs: 9, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _malloc_crt.MSVCR100(00000018,6C82AA18,0000000C,6C8474F7,00000001,00000001,?,6C8221A9,0000000D), ref: 6C82AB8B
                                                                                                                                                                                  • _lock.MSVCR100(0000000A,6C82AA18,0000000C,6C8474F7,00000001,00000001,?,6C8221A9,0000000D), ref: 6C82AB9D
                                                                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,00000FA0,6C82AA18,0000000C,6C8474F7,00000001,00000001,?,6C8221A9,0000000D), ref: 6C82ABB4
                                                                                                                                                                                  • __FF_MSGBANNER.LIBCMT ref: 6C84749F
                                                                                                                                                                                  • __NMSG_WRITE.LIBCMT ref: 6C8474A6
                                                                                                                                                                                  • _errno.MSVCR100(6C82AA18,0000000C,6C8474F7,00000001,00000001,?,6C8221A9,0000000D), ref: 6C8474B9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CountCriticalInitializeSectionSpin_errno_lock_malloc_crt
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 957642387-0
                                                                                                                                                                                  • Opcode ID: 68e32e5e979b34860cfc9a6051c8c7412e5c3d6461fb2524903e76b5c8fdfd1f
                                                                                                                                                                                  • Instruction ID: 6853bbfd33fb60caec1a9ff20157da0c4919e47fdd3f940e505b79537ad173f2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 68e32e5e979b34860cfc9a6051c8c7412e5c3d6461fb2524903e76b5c8fdfd1f
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE11B27154028AEEEB306FAC8B98AEE77A05F41318F104D39D1516BA80CB3C49C5DBD1
                                                                                                                                                                                  Function 6C822FC7 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 305COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __forcdecpt_l_isleadbyte_l_mbtowc_l_strlen
                                                                                                                                                                                  • String ID: $g
                                                                                                                                                                                  • API String ID: 3157115575-3845294767
                                                                                                                                                                                  • Opcode ID: 4861988fd802baf10fae494ca69cd80c324401881d906335a7e02cb9b61442d9
                                                                                                                                                                                  • Instruction ID: d078d7fffcc0bba41566131ffb777a6895af9f63b02518d4000743e39741dea4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4861988fd802baf10fae494ca69cd80c324401881d906335a7e02cb9b61442d9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6ED18CF190522D8BDB308F18CE987D9B7B8AB05318F1449EAD608A7641D7789FC5CF98
                                                                                                                                                                                  Function 6C87C480 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: P
                                                                                                                                                                                  • API String ID: 2819658684-3110715001
                                                                                                                                                                                  • Opcode ID: 2f6474ec820dcee7ebc5f9af7fe1f6fd1100646321bafe231603c67851bafa68
                                                                                                                                                                                  • Instruction ID: 284e942e64b84b4342e0663b21fb7f44957903f397bce9b5d17cd57c8922aa5f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f6474ec820dcee7ebc5f9af7fe1f6fd1100646321bafe231603c67851bafa68
                                                                                                                                                                                  • Instruction Fuzzy Hash: 223186719002599FCB30EF6CD6845EE7BB4BF01318B200E69E47097A91F73299918BA1
                                                                                                                                                                                  Function 6C834D6D Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: NameName::
                                                                                                                                                                                  • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                                                  • API String ID: 1333004437-2211150622
                                                                                                                                                                                  • Opcode ID: ab49ab9d9a418e31a26559d6f5f29685292231abb9557f825aee018167d7f9e9
                                                                                                                                                                                  • Instruction ID: c091fd3c25ddbcaaa6d4c1feb4bab25041106cb643ad1955040c2c6c3f48aa8f
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab49ab9d9a418e31a26559d6f5f29685292231abb9557f825aee018167d7f9e9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A219D313012189FCB21CF5CD6459A9BBF4AFC634DB84D5AAEC459B711C771EA46CB80
                                                                                                                                                                                  Function 00EE1A80 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 25COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • sclone.LIBMPR(RDM Corporation,00EE23C6,00EE1B10,00000000,00000000,?,Function_00001000), ref: 00EE1A94
                                                                                                                                                                                  • sclone.LIBMPR(RDMAppweb), ref: 00EE1AA7
                                                                                                                                                                                  • mprGetAppDir.LIBMPR(00EE44D0,RDMAppweb,.exe,00000000), ref: 00EE1AC9
                                                                                                                                                                                  • sjoin.LIBMPR(00000000,00EE44D0,RDMAppweb,.exe,00000000), ref: 00EE1ACF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: sclone$sjoin
                                                                                                                                                                                  • String ID: .exe$RDM Corporation$RDMAppweb
                                                                                                                                                                                  • API String ID: 2662581478-348674270
                                                                                                                                                                                  • Opcode ID: 1ad3d9cfeaab7a95b75d13d3dfa683d55c36c168b4a7b4479d8b984af0e72778
                                                                                                                                                                                  • Instruction ID: 33517f785cc26d39c4ea042dcebf230f82650eaf7ad1bb3a6cad9681535b16dd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ad3d9cfeaab7a95b75d13d3dfa683d55c36c168b4a7b4479d8b984af0e72778
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2DF03AB068038C9FC350EF77E88AB0437A0AB54748F506498B2087F2E2D2B69559CB85
                                                                                                                                                                                  Function 6C828E3C Relevance: 12.2, APIs: 8, Instructions: 211COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 2833abc1a25905101a48ae390a31f6174985a07eefad0a5ee0f19bd82acf6ed1
                                                                                                                                                                                  • Instruction ID: 60ba614a7b0dfa3522156109414102365a0d880b27a698f3837ae4482cb1c1c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2833abc1a25905101a48ae390a31f6174985a07eefad0a5ee0f19bd82acf6ed1
                                                                                                                                                                                  • Instruction Fuzzy Hash: C971917290125EDFDF30CF94CA949EEBBB5FB05318B15893AE5219B940D7319D80CB91
                                                                                                                                                                                  Function 6C824DDA Relevance: 12.2, APIs: 8, Instructions: 175stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __expandlocale.LIBCMT ref: 6C824E34
                                                                                                                                                                                    • Part of subcall function 6C824CF9: _getptd.MSVCR100(00000000,00000000,00000005), ref: 6C824D2F
                                                                                                                                                                                    • Part of subcall function 6C824CF9: strcpy_s.MSVCR100(00000000,00000000,6C824DD8,00000000,00000000,00000005), ref: 6C824D9D
                                                                                                                                                                                  • strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6C824E50
                                                                                                                                                                                  • _strpbrk.LIBCMT(00000005,6C833008,00000001,00000000,00000000), ref: 6C832FCD
                                                                                                                                                                                  • strncmp.MSVCR100(6C824AD4,00000005,00000000,00000001,00000000,00000000), ref: 6C83300F
                                                                                                                                                                                  • _strlen.LIBCMT(6C824AD4,00000001,00000000,00000000), ref: 6C833036
                                                                                                                                                                                  • _strcspn.LIBCMT(00000001,6C82498C,00000001,00000000,00000000), ref: 6C83304B
                                                                                                                                                                                  • strncpy_s.MSVCR100(?,00000083,00000001,00000000,00000001,00000000,00000000), ref: 6C833075
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __expandlocale_getptd_strcspn_strlen_strpbrkstrcmpstrcpy_sstrncmpstrncpy_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1101789701-0
                                                                                                                                                                                  • Opcode ID: 66dc392df1d8b36d59135faf83f2d73db9e10ad4e5a27c41a085f0a30b118e18
                                                                                                                                                                                  • Instruction ID: dab8efb871883a3eef8c1a2d67487e5b0ecc2f7f97797dade761c6b346189f8d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 66dc392df1d8b36d59135faf83f2d73db9e10ad4e5a27c41a085f0a30b118e18
                                                                                                                                                                                  • Instruction Fuzzy Hash: 94510C75D042659EFF304AB88E8479A77B8AB8131CF105CB9D40DD3941DB399DC98BE0
                                                                                                                                                                                  Function 6C868425 Relevance: 12.1, APIs: 8, Instructions: 111synchronizationthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,1CE5184F), ref: 6C868467
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C868475
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C86848E
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000), ref: 6C86849D
                                                                                                                                                                                  • _memset.LIBCMT(?,00000000,0000000C), ref: 6C868503
                                                                                                                                                                                  • SetThreadPriority.KERNEL32(?,?,?), ref: 6C868537
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C868543
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6C868554
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventExceptionHandleLastObjectPrioritySingleThreadThrowWait_memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1332095174-0
                                                                                                                                                                                  • Opcode ID: 914751c2ed2c0ccad6f533fc955d67973800d776c3aae45bcee2eb87d1ede00f
                                                                                                                                                                                  • Instruction ID: 3508e0bd7c043228b205e7b0b04bc2b8f48e050abcc7379e787e6b3930c48fcd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 914751c2ed2c0ccad6f533fc955d67973800d776c3aae45bcee2eb87d1ede00f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98418F71604611AFC720CF25CD45A9BBBE8FF4A728F100E2AF469D7A90D734E944CB95
                                                                                                                                                                                  Function 6C82CE44 Relevance: 12.1, APIs: 8, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _fileno.MSVCR100(?,?,?,?,?,6C833379,?), ref: 6C82CE8D
                                                                                                                                                                                  • _read.MSVCR100(00000000,?,?,?,?,6C833379,?), ref: 6C82CE94
                                                                                                                                                                                  • _fileno.MSVCR100(?), ref: 6C82CEB7
                                                                                                                                                                                  • _fileno.MSVCR100(?), ref: 6C82CEC7
                                                                                                                                                                                  • _fileno.MSVCR100(?), ref: 6C82CED8
                                                                                                                                                                                  • _fileno.MSVCR100(?,?), ref: 6C82CEE8
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C833379,?), ref: 6C84870C
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,6C833379,?), ref: 6C848717
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fileno$_errno_invalid_parameter_noinfo_read
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2022966298-0
                                                                                                                                                                                  • Opcode ID: 8c358c10b190f23caa084dcb60aa7cc058e68cbed7a51dff8c2b0f66ac64ff96
                                                                                                                                                                                  • Instruction ID: 2a635cbfc747487961819aee7b7f9c84c6f1c720da4f30435b4695f6fe8c03aa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c358c10b190f23caa084dcb60aa7cc058e68cbed7a51dff8c2b0f66ac64ff96
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D312431004B144AE7311FA9C7086A67BE4AF0337CB209E1ED4B997E91D77CE9868BC5
                                                                                                                                                                                  Function 6C836D24 Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002,?,?,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C836D8E
                                                                                                                                                                                  • _get_osfhandle.MSVCR100(?,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C836D98
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C836D9F
                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C836DA6
                                                                                                                                                                                    • Part of subcall function 6C82A78A: _get_osfhandle.MSVCR100(?,?,?,?,6C82A865,?,6C82A880,00000010), ref: 6C82A795
                                                                                                                                                                                    • Part of subcall function 6C82A78A: _get_osfhandle.MSVCR100(?), ref: 6C82A7B8
                                                                                                                                                                                    • Part of subcall function 6C82A78A: CloseHandle.KERNEL32(00000000), ref: 6C82A7BF
                                                                                                                                                                                  • _errno.MSVCR100(?,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C850539
                                                                                                                                                                                  • __doserrno.MSVCR100(?,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C850544
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4219055303-0
                                                                                                                                                                                  • Opcode ID: 91cd3ec770539de50fb17906508cf648e16f04f734f69663c735d0eb195df95d
                                                                                                                                                                                  • Instruction ID: 7491c315c83c62695b0632933c14e15c84916c6539e0c52de9d8ff1f108734fb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 91cd3ec770539de50fb17906508cf648e16f04f734f69663c735d0eb195df95d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 57310631204285AFDB21CFBCC588AD53BF5AF0A31CF2109A5E554CFA91DB71EA45CB90
                                                                                                                                                                                  Function 6C824B95 Relevance: 12.1, APIs: 8, Instructions: 97stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _getptd.MSVCR100(?,?,?,?,?,?,?,6C824CC0,00000014), ref: 6C824BAF
                                                                                                                                                                                    • Part of subcall function 6C824E90: _getptd.MSVCR100(6C824EF0,0000000C,6C849FD5,?,?,6C829233,?), ref: 6C824E9C
                                                                                                                                                                                    • Part of subcall function 6C824E90: _lock.MSVCR100(0000000C), ref: 6C824EB3
                                                                                                                                                                                  • _calloc_crt.MSVCR100(000000D8,00000001), ref: 6C824BCF
                                                                                                                                                                                  • _lock.MSVCR100(0000000C), ref: 6C824BE5
                                                                                                                                                                                    • Part of subcall function 6C820C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C8221A9,0000000D), ref: 6C820C5E
                                                                                                                                                                                  • __copytlocinfo_nolock.LIBCMT ref: 6C824BF3
                                                                                                                                                                                    • Part of subcall function 6C82497A: _unlock.MSVCR100(0000000C,6C824C01), ref: 6C82497C
                                                                                                                                                                                    • Part of subcall function 6C824DDA: __expandlocale.LIBCMT ref: 6C824E34
                                                                                                                                                                                    • Part of subcall function 6C824DDA: strcmp.MSVCR100(?,00000048,?,?,?,00000001,00000000,00000000), ref: 6C824E50
                                                                                                                                                                                  • strcmp.MSVCR100(00000000,6C8C39A0), ref: 6C824C28
                                                                                                                                                                                  • _lock.MSVCR100(0000000C), ref: 6C824C39
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,?,6C824CC0,00000014), ref: 6C850C98
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,?,6C824CC0,00000014), ref: 6C850CA3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _lock$_getptdstrcmp$CriticalEnterSection__copytlocinfo_nolock__expandlocale_calloc_crt_errno_invalid_parameter_noinfo_unlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2630553387-0
                                                                                                                                                                                  • Opcode ID: 681e469fb1f75e1c7f8432052a4930c07c5212f5bd106a3d45b3c5b70f7078fd
                                                                                                                                                                                  • Instruction ID: 49f039cc55ab7e28f3a985690b6199e5ad287496f7d15c0376279ce94647d9b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 681e469fb1f75e1c7f8432052a4930c07c5212f5bd106a3d45b3c5b70f7078fd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58319E72504304AADB209BAC9A4CBDC77F0AB85328F218C39D40557B90DB7C9A899BA5
                                                                                                                                                                                  Function 6C8769CE Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _mbsrchr.MSVCR100(6C8C745C,0000002E,6C8C745C,00000012), ref: 6C8769E7
                                                                                                                                                                                    • Part of subcall function 6C88175B: __mbsrchr_l.LIBCMT(00000400,6C86F51E,00000000,?,6C86F0E5,6C86F51E,0000002E,?,?,?,6C86F51E,00000400,?), ref: 6C881768
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(6C8C745C,00000012), ref: 6C8769FE
                                                                                                                                                                                  • strtoul.MSVCR100(00000001,00000000,00000020,00000000,6C8C745C,00000012), ref: 6C876A0F
                                                                                                                                                                                  • __ultoa_s.LIBCMT(?,?,00000008,00000020,00000000,6C8C745C,00000012), ref: 6C876A38
                                                                                                                                                                                  • strcpy_s.MSVCR100(00000001,00000000,?,?,?,?,?,00000000,6C8C745C,00000012), ref: 6C876A4F
                                                                                                                                                                                  • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,6C8C745C,00000012), ref: 6C876A60
                                                                                                                                                                                  • _errno.MSVCR100(6C876BA8,00000010,6C876BFA,00000000,?,00000002,7FFFFFFF,00000000), ref: 6C876A77
                                                                                                                                                                                  • _errno.MSVCR100(6C876BA8,00000010,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,6C8C745C,00000012), ref: 6C876A92
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$__invoke_watson__mbsrchr_l__ultoa_s_invalid_parameter_noinfo_mbsrchrstrcpy_sstrtoul
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2319564628-0
                                                                                                                                                                                  • Opcode ID: 0cdc459a237c9b4de0319a229889701fed2ae117362f44ee9e9838a29c55c077
                                                                                                                                                                                  • Instruction ID: 7728fbf9766b7d1479215b4b4e1644a95ec675769aaae70fb3f704a96b497d56
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cdc459a237c9b4de0319a229889701fed2ae117362f44ee9e9838a29c55c077
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA21F871A402046EDB309F7C8E89EEE7768EF45718F104D35E514C7A80FF74A94986A5
                                                                                                                                                                                  Function 6C836C6B Relevance: 12.1, APIs: 8, Instructions: 78COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __doserrno.MSVCR100(6C836D08,00000010), ref: 6C836C59
                                                                                                                                                                                  • __doserrno.MSVCR100(6C836D08,00000010), ref: 6C850575
                                                                                                                                                                                  • _errno.MSVCR100(6C836D08,00000010), ref: 6C85057D
                                                                                                                                                                                  • _errno.MSVCR100(6C836D08,00000010), ref: 6C850592
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(6C836D08,00000010), ref: 6C85059D
                                                                                                                                                                                  • __doserrno.MSVCR100(6C836D08,00000010), ref: 6C8505A4
                                                                                                                                                                                  • _extend_ioinfo_arrays.LIBCMT ref: 6C8505AD
                                                                                                                                                                                  • _errno.MSVCR100(6C836D08,00000010), ref: 6C8505BA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __doserrno_errno$_extend_ioinfo_arrays_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3030660385-0
                                                                                                                                                                                  • Opcode ID: b86bce6e970c86757ea2ac2ca173debf43224a7983d4cb684d99a5af20f504cb
                                                                                                                                                                                  • Instruction ID: 9bb9177f59b0ebf3b83c13a457185ac1e0105c7c0d291330d9c8ad0e5c4c76fb
                                                                                                                                                                                  • Opcode Fuzzy Hash: b86bce6e970c86757ea2ac2ca173debf43224a7983d4cb684d99a5af20f504cb
                                                                                                                                                                                  • Instruction Fuzzy Hash: C92133715051608EC7311FEC8B803ED7660AF8231CF522E78D069ABEC0DBB909868BD1
                                                                                                                                                                                  Function 6C82AA8C Relevance: 12.1, APIs: 8, Instructions: 76COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • DecodePointer.KERNEL32(6C8C7580,6C82BD3C,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AAA1
                                                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AAAE
                                                                                                                                                                                  • _msize.MSVCR100(00000000,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AACB
                                                                                                                                                                                    • Part of subcall function 6C822231: HeapSize.KERNEL32(00000000,00000000,?,6C82AAD0,00000000,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC), ref: 6C82224B
                                                                                                                                                                                  • EncodePointer.KERNEL32(?,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AAE7
                                                                                                                                                                                  • EncodePointer.KERNEL32(-00000004,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AAEF
                                                                                                                                                                                  • _realloc_crt.MSVCR100(00000000,00000800,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C832BAF
                                                                                                                                                                                  • EncodePointer.KERNEL32(00000000,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C832BC5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 765448609-0
                                                                                                                                                                                  • Opcode ID: fca1a9da376dbb261b780effc9699a22be065731d0aad401b08cf2fe9f736911
                                                                                                                                                                                  • Instruction ID: 4684fc0fd835fd408f6c8cc558e96692bf542be5fcfd56ab46dc1782d13b4fdd
                                                                                                                                                                                  • Opcode Fuzzy Hash: fca1a9da376dbb261b780effc9699a22be065731d0aad401b08cf2fe9f736911
                                                                                                                                                                                  • Instruction Fuzzy Hash: E211E732600226FFDB305FA8DEC88C977E9EB953643211936D805E3A11EB79DD849BD0
                                                                                                                                                                                  Function 6C896957 Relevance: 12.1, APIs: 8, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C89680E,?,?), ref: 6C896963
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,6C89680E,?,?), ref: 6C89696E
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,6C89680E,?,?), ref: 6C896980
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4106058386-0
                                                                                                                                                                                  • Opcode ID: 395231cd5ee89da786a4ab72510c87ed72add6ee294ffb40115aeae3158d87af
                                                                                                                                                                                  • Instruction ID: 15219138ca8ba3253c01871a7012db6e498fec0aa2b8360472726a847af1b66f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 395231cd5ee89da786a4ab72510c87ed72add6ee294ffb40115aeae3158d87af
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2711DC71600249AEDB309F6DCE08B9A7AB8EB827ACF114A34E951D7680DB70DD40CBD0
                                                                                                                                                                                  Function 6C820698 Relevance: 12.0, APIs: 8, Instructions: 46threadCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(6C813238,?,6C8207BA,6C8B7F62), ref: 6C82069C
                                                                                                                                                                                  • __set_flsgetvalue.MSVCR100 ref: 6C8206AA
                                                                                                                                                                                    • Part of subcall function 6C82067B: TlsGetValue.KERNEL32(?,6C8206AF), ref: 6C820684
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 6C8206BC
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000001,00000214), ref: 6C8475B7
                                                                                                                                                                                  • DecodePointer.KERNEL32(00000000), ref: 6C8475D5
                                                                                                                                                                                  • _initptd.MSVCR100(00000000,00000000), ref: 6C8475E4
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 6C8475EB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$CurrentDecodePointerThreadValue__set_flsgetvalue_calloc_crt_initptd
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 242762301-0
                                                                                                                                                                                  • Opcode ID: cb4299cd000025f75685c2c3218a0395f1f89a2abc90340684d38b4b23b17d2d
                                                                                                                                                                                  • Instruction ID: 0a39da1642990934bb21628550e45028970c4c4e9f6ce78210bb0af2c3b33af1
                                                                                                                                                                                  • Opcode Fuzzy Hash: cb4299cd000025f75685c2c3218a0395f1f89a2abc90340684d38b4b23b17d2d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 29F0D632A017636BD73117685E1DA8A7AF0DF427787110934F515D6990CF64CD81D6D4
                                                                                                                                                                                  Function 6C820F9D Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 289COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbtowc_l$__forcdecpt_l
                                                                                                                                                                                  • String ID: $g
                                                                                                                                                                                  • API String ID: 3275779137-3845294767
                                                                                                                                                                                  • Opcode ID: 5e518f8cff176d364a2c9fe6f9f1b78fcf7ef8d20edac8df69451de4fb6417e9
                                                                                                                                                                                  • Instruction ID: fc2adf997264b21e057378216d033c81ae39e56fad9a85d0fbfc9078c8214fb8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e518f8cff176d364a2c9fe6f9f1b78fcf7ef8d20edac8df69451de4fb6417e9
                                                                                                                                                                                  • Instruction Fuzzy Hash: FCD16EF1D0422DCADB708B14CE887C8B7B4AB45318F2445EAD748B7641DB3A9EC58F99
                                                                                                                                                                                  Function 6C85C6A4 Relevance: 10.6, APIs: 7, Instructions: 103COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C85C6AB
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,0000000C,6C862690), ref: 6C85C6C8
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C85C75F
                                                                                                                                                                                    • Part of subcall function 6C86276D: __EH_prolog3.LIBCMT ref: 6C862774
                                                                                                                                                                                    • Part of subcall function 6C86276D: TlsGetValue.KERNEL32(?,00000000,6C85C6DE,?), ref: 6C862782
                                                                                                                                                                                    • Part of subcall function 6C86276D: ??2@YAPAXI@Z.MSVCR100(0000003C), ref: 6C8627FD
                                                                                                                                                                                  • ??_U@YAPAXI@Z.MSVCR100(00000000), ref: 6C85C788
                                                                                                                                                                                  • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6C85C7A2
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C85C7B7
                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 6C85C7C0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$H_prolog3Leave$??2@EnterEventValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1045167556-0
                                                                                                                                                                                  • Opcode ID: 019c68a8101758dd6c4343e71abd5ed72e8e57f7aae052c932bb870f699dd8f2
                                                                                                                                                                                  • Instruction ID: 1e9418e26f5ce487fda32b7b8b7af59590de7932df4ff0df3b419d32aac5184d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 019c68a8101758dd6c4343e71abd5ed72e8e57f7aae052c932bb870f699dd8f2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 06419D70900341CFDB61DF28C685BAABBF0BF08318F10496ED556DAA91D7B4D954CF90
                                                                                                                                                                                  Function 6C8A06C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __fltout2.LIBCMT ref: 6C8A06F3
                                                                                                                                                                                    • Part of subcall function 6C89FD7F: ___dtold.LIBCMT ref: 6C89FDA5
                                                                                                                                                                                    • Part of subcall function 6C89FD7F: _$I10_OUTPUT.LIBCMT(?,?,00000016,?,?,?,6C8A00BE,00000000,?,?,000000A3,00000016,?,00000000,?,?), ref: 6C89FDC0
                                                                                                                                                                                    • Part of subcall function 6C89FD7F: strcpy_s.MSVCR100(6C8A00BE,?,?,?,?,00000016,?,?,?,6C8A00BE,00000000,?,?,000000A3,00000016,?), ref: 6C89FDE0
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,00000000,?,?,?,?,000000A3,?,?,?,?,00000000,00000000), ref: 6C8A06FF
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,00000000,?,?,?,?,000000A3,?,?,?,?,00000000,00000000), ref: 6C8A0706
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • __fptostr.LIBCMT ref: 6C8A073E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: I10____dtold__fltout2__fptostr_errno_invalid_parameter_invalid_parameter_noinfostrcpy_s
                                                                                                                                                                                  • String ID: -
                                                                                                                                                                                  • API String ID: 3041646763-2547889144
                                                                                                                                                                                  • Opcode ID: e11fea9a1858129770e3421fb43e32bf079013d912baa2d8187313d3149ae47b
                                                                                                                                                                                  • Instruction ID: 5598b9c9949e0114a0aaed44d9d0126d327286a872460812d9feb11f448a2462
                                                                                                                                                                                  • Opcode Fuzzy Hash: e11fea9a1858129770e3421fb43e32bf079013d912baa2d8187313d3149ae47b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4931E432900149AFDF259FACCE40DEE7FB5AF4A314F044924F812A7690E7329966DF61
                                                                                                                                                                                  Function 6C85880C Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3_GS.LIBCMT ref: 6C858813
                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 6C85885E
                                                                                                                                                                                    • Part of subcall function 6C85B795: _memset.LIBCMT(?,00000000,0000000C), ref: 6C85B7A0
                                                                                                                                                                                    • Part of subcall function 6C85B795: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6C85B7A8
                                                                                                                                                                                    • Part of subcall function 6C85B795: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100 ref: 6C85B7B2
                                                                                                                                                                                    • Part of subcall function 6C85B795: GetCurrentProcess.KERNEL32(?,?), ref: 6C85B7C4
                                                                                                                                                                                    • Part of subcall function 6C85B795: GetProcessAffinityMask.KERNEL32(00000000), ref: 6C85B7CB
                                                                                                                                                                                  • _memset.LIBCMT(00000000,00000000,0000000C,?,6C862BA8,00000000,?,?,?,?,00000000,00000000), ref: 6C858899
                                                                                                                                                                                    • Part of subcall function 6C85B7F5: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100(?,?,6C85899B,00000000,?,?), ref: 6C85B7FB
                                                                                                                                                                                    • Part of subcall function 6C85B7F5: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR100(?,?,6C85899B,00000000,?,?), ref: 6C85B805
                                                                                                                                                                                    • Part of subcall function 6C85B7F5: SetThreadAffinityMask.KERNEL32(?,?), ref: 6C85B814
                                                                                                                                                                                    • Part of subcall function 6C86314F: SetEvent.KERNEL32(?), ref: 6C863192
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,6C85D20F,?,00000000,00000000), ref: 6C8588C7
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(00000000,?,00000000), ref: 6C8588F3
                                                                                                                                                                                  • TlsGetValue.KERNEL32(?,?,00000028,6C86297A,00000000,?,00000000,?,?,6C862BA8,00000000,?,?,?,?,00000000), ref: 6C858915
                                                                                                                                                                                  • TlsSetValue.KERNEL32(?,00000000,?,6C862BA8,00000000,?,?,?,?,00000000,00000000), ref: 6C858920
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Version@$Concurrency@@Manager@1@Resource$AffinityCriticalCurrentMaskProcessSectionThreadValue_memset$EnterEventH_prolog3_Leave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4131446515-0
                                                                                                                                                                                  • Opcode ID: d09dd454cffb7016880fa9421ef32414a96e20fb975908e73253911cb1142f89
                                                                                                                                                                                  • Instruction ID: 324f3ce45fc16d0460683aff5449efb7a8e23bc419f596bc41f08ac3fa61493c
                                                                                                                                                                                  • Opcode Fuzzy Hash: d09dd454cffb7016880fa9421ef32414a96e20fb975908e73253911cb1142f89
                                                                                                                                                                                  • Instruction Fuzzy Hash: E2319A75A00205CFCF14DF64CAC49AA7BB4FF19318B0548A9EC05AF756DB34E815CB91
                                                                                                                                                                                  Function 6C8368D9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _memset.LIBCMT(?,000000FF,00000024), ref: 6C836905
                                                                                                                                                                                  • _get_daylight.MSVCR100(?), ref: 6C836941
                                                                                                                                                                                  • _get_dstbias.MSVCR100(?), ref: 6C836953
                                                                                                                                                                                  • _get_timezone.MSVCR100(?), ref: 6C836965
                                                                                                                                                                                  • _gmtime64_s.MSVCR100(?,?), ref: 6C836999
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C8369BF
                                                                                                                                                                                  • _gmtime64_s.MSVCR100(?,?), ref: 6C8369CB
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C849DE1
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C849DEB
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C849DF7
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C849E01
                                                                                                                                                                                  • _gmtime64_s.MSVCR100(?,?), ref: 6C849E3A
                                                                                                                                                                                  • __allrem.LIBCMT ref: 6C849EA5
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C849EC1
                                                                                                                                                                                  • __allrem.LIBCMT ref: 6C849ED8
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C849EF6
                                                                                                                                                                                  • __allrem.LIBCMT ref: 6C849F0D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __allrem_errno_gmtime64_s$Unothrow_t@std@@@__ehfuncinfo$??2@_invalid_parameter_noinfo$_get_daylight_get_dstbias_get_timezone_memset
                                                                                                                                                                                  • String ID: U
                                                                                                                                                                                  • API String ID: 3568092448-3372436214
                                                                                                                                                                                  • Opcode ID: 3ce7e9fd9b5b7076f79c8e5399a864e9ab641d4b5311fa2554be39dd865b5a71
                                                                                                                                                                                  • Instruction ID: 3569b64e991ffc5aadf92195d1e6a49099033bb2c723799c00e00ace8b11b7ca
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ce7e9fd9b5b7076f79c8e5399a864e9ab641d4b5311fa2554be39dd865b5a71
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2021D675A0162A9A9B30CFEDCB809DDB3BCAF8121CB246977D808D7D40E770D9444691
                                                                                                                                                                                  Function 6C82EFF6 Relevance: 10.6, APIs: 7, Instructions: 81COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _tolower_l.MSVCR100(00000000,00000000,00000000,00000099,7FFFFFFF,00000000), ref: 6C82F052
                                                                                                                                                                                  • _tolower_l.MSVCR100(00000000,00000000,00000000,00000000,00000000,00000099,7FFFFFFF,00000000), ref: 6C82F061
                                                                                                                                                                                  • ___ascii_strnicmp.LIBCMT ref: 6C837686
                                                                                                                                                                                  • _errno.MSVCR100(00000000,00000099,7FFFFFFF,00000000), ref: 6C84C408
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(00000000,00000099,7FFFFFFF,00000000), ref: 6C84C413
                                                                                                                                                                                  • _errno.MSVCR100(00000000,00000099,7FFFFFFF,00000000), ref: 6C84C42F
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(00000000,00000099,7FFFFFFF,00000000), ref: 6C84C43A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo_tolower_l$___ascii_strnicmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2390777603-0
                                                                                                                                                                                  • Opcode ID: 5dee6ccd69475502ea7b5f51668898b67aece249fb893b167051157f32c20104
                                                                                                                                                                                  • Instruction ID: ede01f5d143889257da7d7b71132e9053cf0fb8c5d8cb44ba9d276b3d5efefbf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5dee6ccd69475502ea7b5f51668898b67aece249fb893b167051157f32c20104
                                                                                                                                                                                  • Instruction Fuzzy Hash: C821B9319012599FDB319EACCB08BFE7BA4AF41228F240EA4A470576D1EB74C949C7D1
                                                                                                                                                                                  Function 6C82E5C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C849225
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C849230
                                                                                                                                                                                  • _errno.MSVCR100(?), ref: 6C84923D
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?), ref: 6C849248
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: B
                                                                                                                                                                                  • API String ID: 2959964966-1255198513
                                                                                                                                                                                  • Opcode ID: edd275210728800d1351eb05aeb73171c7f1e9d6414c99896fe65ef0e2fee524
                                                                                                                                                                                  • Instruction ID: f9f4b4d84474608f0079b7536479e0ab0f4e45d0ecc7a5cc96b46f27c5d91c12
                                                                                                                                                                                  • Opcode Fuzzy Hash: edd275210728800d1351eb05aeb73171c7f1e9d6414c99896fe65ef0e2fee524
                                                                                                                                                                                  • Instruction Fuzzy Hash: F221927180025E9FDF309FB8CA449DE7BB5FB45328F144A2AE530A7680D7389954CBE5
                                                                                                                                                                                  Function 6C82AEAE Relevance: 10.6, APIs: 7, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 6C82AEB8
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 6C82AEF6
                                                                                                                                                                                  • _malloc_crt.MSVCR100(00000000), ref: 6C82AF00
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 6C82AF19
                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C82AF24
                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6C82AF33
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide$_malloc_crt
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3279498665-0
                                                                                                                                                                                  • Opcode ID: 7f3af6464a41c59609539c065fab2d79de5796edea0c0f72ef2225047311c80f
                                                                                                                                                                                  • Instruction ID: e6f188066e9cefe595489fcf27f44dd300c96c9ba823e425cfd38c620dea4135
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f3af6464a41c59609539c065fab2d79de5796edea0c0f72ef2225047311c80f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A1186A6942118BF8B315B655E4C8DFBFBCEF563987104862F001D2940D778CD818AF0
                                                                                                                                                                                  Function 6C834C10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: NameName::$Name::operator+
                                                                                                                                                                                  • String ID: void$void
                                                                                                                                                                                  • API String ID: 826178784-3746155364
                                                                                                                                                                                  • Opcode ID: 9825642ab061a579449b7d3ab064192f2bd3609326b7db036923e2104a6e4abc
                                                                                                                                                                                  • Instruction ID: dafcd99a6eda2d7aa143b4faaf40429505e63b829bcb6d451b41d50f90682855
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9825642ab061a579449b7d3ab064192f2bd3609326b7db036923e2104a6e4abc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 90213A3580011DEECF25DFD8CA81CED7FB8AF85308F40A96AE81956A50D735968ACB90
                                                                                                                                                                                  Function 6C866AE6 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C866AED
                                                                                                                                                                                  • InitializeSListHead.KERNEL32(?,00000010,6C866ED3,00000000,?), ref: 6C866B0B
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C866B3E
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C866B56
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000), ref: 6C866B64
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C866B7E
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(00000030), ref: 6C866B8C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$??2@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionH_prolog3HeadInitializeListThrow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3312236879-0
                                                                                                                                                                                  • Opcode ID: 7365fa9ead01ccd4deff1c4b232f2ebf89d01bec23531646b4bed433a3999322
                                                                                                                                                                                  • Instruction ID: 5a639ab603e6ad761b9507c5bf9fe04f5121868b93e9f59707cc64d959664c57
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7365fa9ead01ccd4deff1c4b232f2ebf89d01bec23531646b4bed433a3999322
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58216A75601686EBDB21DF7ACA40AAA77F4BF05308B104929E445D7E40E734EA48CB90
                                                                                                                                                                                  Function 6C858AC4 Relevance: 10.6, APIs: 7, Instructions: 65threadCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C858ACB
                                                                                                                                                                                    • Part of subcall function 6C8562F7: __EH_prolog3.LIBCMT ref: 6C8562FE
                                                                                                                                                                                    • Part of subcall function 6C8562F7: ??2@YAPAXI@Z.MSVCR100 ref: 6C856366
                                                                                                                                                                                    • Part of subcall function 6C8562F7: _memset.LIBCMT(00000000,00000000,81104C15), ref: 6C856378
                                                                                                                                                                                  • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,6C860AF2,?,00000001,00000010,6C860C38,00000000,00000000,6C860AF2,?,6C860AF2,?), ref: 6C858AFB
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6C860AF2,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C858B0B
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,6C860AF2,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C858B23
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000,?,6C860AF2,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C858B31
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(0000001C,5D8B5351,?,6C860AF2,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C858B43
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 6C858B78
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@H_prolog3$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateCurrentErrorEventExceptionLastThreadThrow_memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1121080609-0
                                                                                                                                                                                  • Opcode ID: 0d11a0776d0a1d1bf2ceb6f7ef25af19946e842e0b514edc98a4706998645269
                                                                                                                                                                                  • Instruction ID: 5575da7ee0d78a7aaad2743f68eb9c1ae6166a1e958192aeaf57c263d42bb9e8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d11a0776d0a1d1bf2ceb6f7ef25af19946e842e0b514edc98a4706998645269
                                                                                                                                                                                  • Instruction Fuzzy Hash: 54219FB1D40246AFC7609F758A84A9ABFB4BF05218B94493AE019DBB00C774D868DBD0
                                                                                                                                                                                  Function 00EE1F75 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegisterServiceCtrlHandlerA.ADVAPI32(?,Function_00001E70), ref: 00EE1F7F
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00EE2045), ref: 00EE1F90
                                                                                                                                                                                  • mprError.LIBMPR(Cannot register handler: 0x%x,00000000), ref: 00EE1F9C
                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(00000000,00EE6044), ref: 00EE1FF9
                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(?,00EE6044), ref: 00EE2031
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot register handler: 0x%x, xrefs: 00EE1F97
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Service$ErrorStatus$CtrlHandlerLastRegister
                                                                                                                                                                                  • String ID: Cannot register handler: 0x%x
                                                                                                                                                                                  • API String ID: 1350019001-3203017252
                                                                                                                                                                                  • Opcode ID: 7785975e6e02ab09d4960360330d8104415d8fa3c2972fc3c9b94df57e584d30
                                                                                                                                                                                  • Instruction ID: 33ea1e587ece41a4f2b1656132d01078c1739e4e1cf43ced5cc37503e7094218
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7785975e6e02ab09d4960360330d8104415d8fa3c2972fc3c9b94df57e584d30
                                                                                                                                                                                  • Instruction Fuzzy Hash: CF113DB15006F88FD330DF1BFCC465537A8F764798700051AF105BA2A0C3B9594D8F90
                                                                                                                                                                                  Function 00EE1B20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindWindowA.USER32(RDMAppweb,RDMAppweb), ref: 00EE1B33
                                                                                                                                                                                  • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00EE1B40
                                                                                                                                                                                  • mprSleep.LIBMPR(00000064,00000000,?,?,?,00EE1F1A,00002710,00000000), ref: 00EE1B64
                                                                                                                                                                                  • FindWindowA.USER32(RDMAppweb,RDMAppweb), ref: 00EE1B7C
                                                                                                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,00EE1F1A,00002710,00000000), ref: 00EE1B9B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FindWindow$MessagePostProcessSleepTerminate
                                                                                                                                                                                  • String ID: RDMAppweb
                                                                                                                                                                                  • API String ID: 578541577-2395462953
                                                                                                                                                                                  • Opcode ID: 80cd4e4f710b763ee4922f4557c81032308cbb4daae78311c88f0d1584faf31b
                                                                                                                                                                                  • Instruction ID: e59c46a6b0dc7e580fcac589ae8544d4e971f77a59bdd478ce6d8143651e7253
                                                                                                                                                                                  • Opcode Fuzzy Hash: 80cd4e4f710b763ee4922f4557c81032308cbb4daae78311c88f0d1584faf31b
                                                                                                                                                                                  • Instruction Fuzzy Hash: A001DEB6B407CCDBD2208A17AC45B4A2364AB54BA0F142584BA04FF2D1F630EC844268
                                                                                                                                                                                  Function 6C834544 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Name::operator+$NameName::
                                                                                                                                                                                  • String ID: throw(
                                                                                                                                                                                  • API String ID: 168861036-3159766648
                                                                                                                                                                                  • Opcode ID: 16d27bc46941e361de9be06c4ed249aa8ba348462ae1468cae50b950e0b496d8
                                                                                                                                                                                  • Instruction ID: fa0f92646f2dd28ea05f4d9fb9983b5aed048273cc3bcda427f3e06c50826676
                                                                                                                                                                                  • Opcode Fuzzy Hash: 16d27bc46941e361de9be06c4ed249aa8ba348462ae1468cae50b950e0b496d8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B01483060011DAECF24DFA8DA55DED7BB5EF8530CF408969E5015B790DB74E949CB80
                                                                                                                                                                                  Function 6C87AB00 Relevance: 10.5, APIs: 7, Instructions: 47COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C87AB0B
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C87AB16
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • __wsopen_s.LIBCMT(00000000,00000000,00008002,00000040,00000000), ref: 6C87AB30
                                                                                                                                                                                  • __futime64.LIBCMT(00000000,?), ref: 6C87AB44
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C87AB52
                                                                                                                                                                                  • _close.MSVCR100(00000000), ref: 6C87AB61
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C87AB6C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$__futime64__wsopen_s_close_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 503974632-0
                                                                                                                                                                                  • Opcode ID: e59799948323e6fdbb630e856d70e8e401be95e9652310b7b78e804d2446fb5c
                                                                                                                                                                                  • Instruction ID: 59b89404d814282057dc7d39d924370cac6749138e5df1c15848f1e06365b64a
                                                                                                                                                                                  • Opcode Fuzzy Hash: e59799948323e6fdbb630e856d70e8e401be95e9652310b7b78e804d2446fb5c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4301A7325041087EDB301E6DDD04FCD3B259B41778F154621FA284BAE0EB31D5858BE4
                                                                                                                                                                                  Function 6C82AA88 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • DecodePointer.KERNEL32(6C8C7580,6C82BD3C,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AAA1
                                                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AAAE
                                                                                                                                                                                  • _msize.MSVCR100(00000000,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AACB
                                                                                                                                                                                    • Part of subcall function 6C822231: HeapSize.KERNEL32(00000000,00000000,?,6C82AAD0,00000000,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC), ref: 6C82224B
                                                                                                                                                                                  • EncodePointer.KERNEL32(?,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AAE7
                                                                                                                                                                                  • EncodePointer.KERNEL32(-00000004,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C82AAEF
                                                                                                                                                                                  • _realloc_crt.MSVCR100(00000000,00000800,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C832BAF
                                                                                                                                                                                  • EncodePointer.KERNEL32(00000000,?,?,?,6C82AA57,?,6C82AA70,0000000C,6C82BAA1,?,?,6C84F2FC,6C8BFC34,?), ref: 6C832BC5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Pointer$Encode$Decode$HeapSize_msize_realloc_crt
                                                                                                                                                                                  • String ID: U
                                                                                                                                                                                  • API String ID: 765448609-3372436214
                                                                                                                                                                                  • Opcode ID: 6132e14ee6a78ebbded7e149de893b43f7a05015270e8d5a4f5ac9f5e6f3a7bf
                                                                                                                                                                                  • Instruction ID: f47c77a8d18b95bc42ecb491a0495f3a96e39f624470572b3080ccb7ed135ea9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6132e14ee6a78ebbded7e149de893b43f7a05015270e8d5a4f5ac9f5e6f3a7bf
                                                                                                                                                                                  • Instruction Fuzzy Hash: F3F0F932600225AFCB209FB4DCC48C97BE9EB993A43114537D449D3601E7B5D980DBC0
                                                                                                                                                                                  Function 6C858BCC Relevance: 10.5, APIs: 7, Instructions: 38threadCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000088,00000000,00000000,00000002,00000000,?,?,?,?,6C860C55,?,6C860AF2,?), ref: 6C858BE8
                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 6C858BEB
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,6C860C55,?,6C860AF2,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C858BF2
                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,?,?,?,6C860C55,?,6C860AF2,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C858BF5
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,6C860C55,?,6C860AF2,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C858BFF
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,6C860C55,?,6C860AF2,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C858C17
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000,?,?,?,?,6C860C55,?,6C860AF2,?,?,?,?,00000000), ref: 6C858C25
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Current$Process$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorExceptionHandleLastThreadThrow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2881127307-0
                                                                                                                                                                                  • Opcode ID: ab743977a7600706418f6354428ad5ed587c554077309d03a53d50d90b4a1b0b
                                                                                                                                                                                  • Instruction ID: e236cef7b1f38fa1c860685e22c1f96476d550cf121b703496be528f7071a60b
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab743977a7600706418f6354428ad5ed587c554077309d03a53d50d90b4a1b0b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 35F09672A50116A6CE70A6B58D0DF9B7BBCAF55758F404936B505D3980DF74E404C7E0
                                                                                                                                                                                  Function 6C86EACE Relevance: 10.5, APIs: 7, Instructions: 35COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __doserrno.MSVCR100 ref: 6C86EAD9
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C86EAE1
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C86EAEC
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000), ref: 6C86EAF9
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C86EB04
                                                                                                                                                                                  • __dosmaperr.LIBCMT(00000000), ref: 6C86EB0B
                                                                                                                                                                                  • SetFileAttributesA.KERNEL32(00000000,00000000), ref: 6C86EB25
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFile$ErrorLast__doserrno__dosmaperr_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 567378056-0
                                                                                                                                                                                  • Opcode ID: 16602dfadc696742a3bdfe39f8e31a721ea2f7a20492b178c39650d333780d98
                                                                                                                                                                                  • Instruction ID: 56b952766a450b130846751fb9c9e69c5f38c9636a7a754151c3a44cec5035c5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 16602dfadc696742a3bdfe39f8e31a721ea2f7a20492b178c39650d333780d98
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23F06D31954108AFDB201BBA9E097A93AA4AF5233EF104B20F42994EE0CB75C484DBD0
                                                                                                                                                                                  Function 6C87048F Relevance: 10.5, APIs: 7, Instructions: 35COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __doserrno.MSVCR100 ref: 6C87049A
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C8704A2
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C8704AD
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 6C8704BA
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C8704C5
                                                                                                                                                                                  • __dosmaperr.LIBCMT(00000000), ref: 6C8704CC
                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 6C8704E6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFile$ErrorLast__doserrno__dosmaperr_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 567378056-0
                                                                                                                                                                                  • Opcode ID: 797fd7349e028f0039322433bb822b6d228b5b1b22624a5350d7c571ef358884
                                                                                                                                                                                  • Instruction ID: 2e3dcbe09eefcbc260491d2cdd2b72ffc5c1bc5868f9d0380bc3301b7510ed47
                                                                                                                                                                                  • Opcode Fuzzy Hash: 797fd7349e028f0039322433bb822b6d228b5b1b22624a5350d7c571ef358884
                                                                                                                                                                                  • Instruction Fuzzy Hash: 61F036315156899FDB301BB9CA097AE3AA56F4233DF104B60F539C49E0DB76C490DAA1
                                                                                                                                                                                  Function 00EE2040 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00EE1F70: RegisterServiceCtrlHandlerA.ADVAPI32(?,Function_00001E70), ref: 00EE1F7F
                                                                                                                                                                                    • Part of subcall function 00EE1F70: GetLastError.KERNEL32(?,00EE2045), ref: 00EE1F90
                                                                                                                                                                                    • Part of subcall function 00EE1F70: mprError.LIBMPR(Cannot register handler: 0x%x,00000000), ref: 00EE1F9C
                                                                                                                                                                                  • mprError.LIBMPR(Cannot register service), ref: 00EE204E
                                                                                                                                                                                  • ExitThread.KERNEL32 ref: 00EE2058
                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(?,00EE6044), ref: 00EE209D
                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(?,00EE6044), ref: 00EE20DA
                                                                                                                                                                                  • ExitThread.KERNEL32 ref: 00EE20DD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot register service, xrefs: 00EE2049
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorService$ExitStatusThread$CtrlHandlerLastRegister
                                                                                                                                                                                  • String ID: Cannot register service
                                                                                                                                                                                  • API String ID: 604916024-774281869
                                                                                                                                                                                  • Opcode ID: 8612c172b620598b5baf1388981a367896e468325cb59c4f7858548f453e6ce1
                                                                                                                                                                                  • Instruction ID: 1ca859455807f7d868bfcead92bebc0551830b705264c2a627e867bb648380ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8612c172b620598b5baf1388981a367896e468325cb59c4f7858548f453e6ce1
                                                                                                                                                                                  • Instruction Fuzzy Hash: A101A8B05006ECDED3709F17ECC9B1A3BA5AB64398F001009F609BE2A0C7B9594DCF52
                                                                                                                                                                                  Function 00EE1A8B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • sclone.LIBMPR(RDM Corporation,00EE23C6,00EE1B10,00000000,00000000,?,Function_00001000), ref: 00EE1A94
                                                                                                                                                                                  • sclone.LIBMPR(RDMAppweb), ref: 00EE1AA7
                                                                                                                                                                                  • mprGetAppDir.LIBMPR(00EE44D0,RDMAppweb,.exe,00000000), ref: 00EE1AC9
                                                                                                                                                                                  • sjoin.LIBMPR(00000000,00EE44D0,RDMAppweb,.exe,00000000), ref: 00EE1ACF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: sclone$sjoin
                                                                                                                                                                                  • String ID: .exe$RDMAppweb
                                                                                                                                                                                  • API String ID: 2662581478-3911555727
                                                                                                                                                                                  • Opcode ID: 0665b01299b14e71e71b41729915c89054808dadcf5216451f26fed707b0c046
                                                                                                                                                                                  • Instruction ID: 572b92e4ff9b00e336459444d304cfde5ef93b48fc887315c847fae523cbbc8a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0665b01299b14e71e71b41729915c89054808dadcf5216451f26fed707b0c046
                                                                                                                                                                                  • Instruction Fuzzy Hash: BBF082B0A803CC5FC350EB33989A70437A06B40758F506488B2147F2E3D2BA844ECB81
                                                                                                                                                                                  Function 6C82087F Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,6C820936,?,?,00000000), ref: 6C847946
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,6C820936,?,?,00000000), ref: 6C847950
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,6C820936,?,?,00000000), ref: 6C84795C
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,6C820936,?,?,00000000), ref: 6C847966
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,6C820936,?,?,00000000), ref: 6C847972
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,6C820936,?,?,00000000), ref: 6C847991
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2819658684-0
                                                                                                                                                                                  • Opcode ID: a17977ba85dbcc47a8b23e4869394747ab22ee759c5d6b0b65cf0a2db3916238
                                                                                                                                                                                  • Instruction ID: a26a48f24fc73e7e3be1fd28767e2b49c94388e609ed2be98da1f8b67a77069a
                                                                                                                                                                                  • Opcode Fuzzy Hash: a17977ba85dbcc47a8b23e4869394747ab22ee759c5d6b0b65cf0a2db3916238
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8321357225136A9BC7381F3C89E429A7B61EF42314B20893EE4428BB50E7749581C3C1
                                                                                                                                                                                  Function 6C866561 Relevance: 9.1, APIs: 6, Instructions: 89synchronizationtimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C866568
                                                                                                                                                                                  • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 6C866579
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 6C866580
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 6C8665A4
                                                                                                                                                                                  • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100 ref: 6C8665D9
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6C866685
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AcquireBase::CloseConcurrency::details::Concurrency@@CountH_prolog3HandleLock@details@ObjectReaderSchedulerSingleThrottlingTickTimeWaitWrite@_Writer
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1057910834-0
                                                                                                                                                                                  • Opcode ID: 4ae1bef12ac25f76952c1c217a925f4a42f23682da3af5d58614e780e34e2785
                                                                                                                                                                                  • Instruction ID: b0f9bb685d76247419d3434a9a1e938c49cae5dd4a19ad91cbaf4698a9869c1e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ae1bef12ac25f76952c1c217a925f4a42f23682da3af5d58614e780e34e2785
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7931B070A00252CFCB208F69CA887A9BBB1BF04328F154A79D955DBF81DB359C44CBD0
                                                                                                                                                                                  Function 6C89CCC1 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C89CCCE
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C89CD0A
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C89CCD9
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C89CCEA
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C89CCF5
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C89CD15
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1328987296-0
                                                                                                                                                                                  • Opcode ID: c6abead28d9971e1a7311e57be41cba62adceeb003012ed5b7a719c269d5b426
                                                                                                                                                                                  • Instruction ID: 9e74e8b84382704378638748f6f9350087f241521c36ae4c10cb1610c2f56012
                                                                                                                                                                                  • Opcode Fuzzy Hash: c6abead28d9971e1a7311e57be41cba62adceeb003012ed5b7a719c269d5b426
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9901BE3154422ADEDB327F5DDE505DA3FA4EBC13EAB300C35E48596A12D7338980CBA1
                                                                                                                                                                                  Function 6C89CD4A Relevance: 9.1, APIs: 6, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C89CD57
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C89CD93
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C89CD62
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C89CD73
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C89CD7E
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C89CD9E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1328987296-0
                                                                                                                                                                                  • Opcode ID: 7ba6820066a2c580ffc5cc9e02d2aa116196ec497089423c53975650b8025924
                                                                                                                                                                                  • Instruction ID: ed0836c9a1eb0cf66bce836d7a35ae76451c9b16e1e175e03f63fbd2e0181553
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ba6820066a2c580ffc5cc9e02d2aa116196ec497089423c53975650b8025924
                                                                                                                                                                                  • Instruction Fuzzy Hash: F511AD7150422A9FDB706FACCA905CE3F65EF8131AF210C39F54092A22D7338580CAA1
                                                                                                                                                                                  Function 6C82AC84 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _getptd.MSVCR100(6C82ACE0,0000000C,6C82D0AA,?,?,6C829233,?), ref: 6C82AC90
                                                                                                                                                                                  • _lock.MSVCR100(0000000D), ref: 6C82ACA7
                                                                                                                                                                                    • Part of subcall function 6C820C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C8221A9,0000000D), ref: 6C820C5E
                                                                                                                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 6C82D0B7
                                                                                                                                                                                  • InterlockedIncrement.KERNEL32(02961688), ref: 6C82D0DF
                                                                                                                                                                                    • Part of subcall function 6C82ACFC: _unlock.MSVCR100(0000000D,6C82ACCF), ref: 6C82ACFE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Interlocked$CriticalDecrementEnterIncrementSection_getptd_lock_unlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1606532611-0
                                                                                                                                                                                  • Opcode ID: 26e139903bb4e84480b10bc7d3f1bf152b63cee906fe997b59af9d2837a16dfc
                                                                                                                                                                                  • Instruction ID: f00ead205223e79a617abdae8066d22704ef20504098be93eeee051af90a1dc7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 26e139903bb4e84480b10bc7d3f1bf152b63cee906fe997b59af9d2837a16dfc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E115271E06A65DBDB319B6986087C97670BF01B19F114D25D8106BF80DB389EC7CBD1
                                                                                                                                                                                  Function 6C82A8DF Relevance: 9.0, APIs: 6, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __freebuf.LIBCMT ref: 6C82A903
                                                                                                                                                                                    • Part of subcall function 6C82A8AE: free.MSVCR100(?,?,?,6C82A908,?,?), ref: 6C82A8C5
                                                                                                                                                                                  • _fileno.MSVCR100(?,?,?), ref: 6C82A909
                                                                                                                                                                                  • _close.MSVCR100(00000000,?,?,?), ref: 6C82A90F
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C848B94
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C848B9F
                                                                                                                                                                                    • Part of subcall function 6C82A665: _fileno.MSVCR100(?,?,?,?,?,?,?,6C82A900,?), ref: 6C82A694
                                                                                                                                                                                    • Part of subcall function 6C82A665: _write.MSVCR100(00000000,?,?,?,?,?,?,6C82A900,?), ref: 6C82A69B
                                                                                                                                                                                  • free.MSVCR100(?), ref: 6C848BB4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _filenofree$__freebuf_close_errno_invalid_parameter_noinfo_write
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1941134952-0
                                                                                                                                                                                  • Opcode ID: 0c03a7350c23a4a37fcfb518264520126cbcfc0aa4ba02ae4b539e9514dbc655
                                                                                                                                                                                  • Instruction ID: 471dbdbae67c52cab95402419f78009e239b419c48612b26e183b2be7250fb7b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c03a7350c23a4a37fcfb518264520126cbcfc0aa4ba02ae4b539e9514dbc655
                                                                                                                                                                                  • Instruction Fuzzy Hash: 16F0D1729017182ED330167E4E08BCB76989F8637DF154E26997897EC0E73CD4864AE0
                                                                                                                                                                                  Function 6C862A38 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,00000000,?,?,?,?,?,?,?,6C85D20F,?,00000000,00000000,?), ref: 6C862A6A
                                                                                                                                                                                  • ??_U@YAPAXI@Z.MSVCR100(00000000,?,00000000,00000000,?,?,?,?,?,?,?,6C85D20F,?,00000000,00000000,?), ref: 6C862AF8
                                                                                                                                                                                  • ??_V@YAXPAX@Z.MSVCR100(?,?,?,00000000,00000000,?,?,?,?,?,?,?,6C85D20F,?,00000000,00000000), ref: 6C862C4F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: ,$,
                                                                                                                                                                                  • API String ID: 0-220654547
                                                                                                                                                                                  • Opcode ID: 03894b3d17109734d562bfcd162bd2f8fc99f3d3eba4bf352f169d5fa9c56562
                                                                                                                                                                                  • Instruction ID: 175a7fd9e60dc33727192340910aa465a6c71686b498f947e14070518a412ece
                                                                                                                                                                                  • Opcode Fuzzy Hash: 03894b3d17109734d562bfcd162bd2f8fc99f3d3eba4bf352f169d5fa9c56562
                                                                                                                                                                                  • Instruction Fuzzy Hash: 16615471609741DFC328CF29C694A5BBBE1FF89308F154E6EE4DA8BA51D734A840CB52
                                                                                                                                                                                  Function 6C85C84D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 6C85C85F
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C85C920
                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 6C85C92F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                  • String ID: $$,
                                                                                                                                                                                  • API String ID: 3094578987-53852779
                                                                                                                                                                                  • Opcode ID: cfe403805ab5503133d95b62d0d907c096526c175c1e0c0685579c70bf5b6864
                                                                                                                                                                                  • Instruction ID: 180f92f1a785fa65727e1a3e05bdf5fa5a84962a304f6cb2b0b9b643a4ea4413
                                                                                                                                                                                  • Opcode Fuzzy Hash: cfe403805ab5503133d95b62d0d907c096526c175c1e0c0685579c70bf5b6864
                                                                                                                                                                                  • Instruction Fuzzy Hash: 343114B0E0471ADFCB64DFA9C6C095ABBF1FF08308B548969D54697A12C370E994CF90
                                                                                                                                                                                  Function 6C828ED9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID: P
                                                                                                                                                                                  • API String ID: 2959964966-3110715001
                                                                                                                                                                                  • Opcode ID: b4594cfbb7066c9c193d30eb55ddf32ecdc70655408ba1b29cc7a16e5209f139
                                                                                                                                                                                  • Instruction ID: a94859a1a398a57b7bfc52546c5b04882346a2f8cef48a87a7d02eef60d32961
                                                                                                                                                                                  • Opcode Fuzzy Hash: b4594cfbb7066c9c193d30eb55ddf32ecdc70655408ba1b29cc7a16e5209f139
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C21F5332452999FDF315E5C8A845DD779A9B42318B204D3BE5609BE80E239CCC48BD1
                                                                                                                                                                                  Function 6C86ACEA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74threadCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6C86035A: TlsGetValue.KERNEL32(6C856185), ref: 6C86036C
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 6C86AD16
                                                                                                                                                                                  • swprintf.LIBCMT(?,00000401,[%d:%d:%d:%d(%d)] ,00000000,?,6C86AA8C,?,?,?), ref: 6C86AD40
                                                                                                                                                                                  • _vswprintf_s.LIBCMT(00000401,00000401,?,6C86AA8C,?,00000002,000000F8,?,6C86AA8C,?,?,?), ref: 6C86AD62
                                                                                                                                                                                  • _wcslen.LIBCMT(?,00000401,00000401,?,6C86AA8C,?,00000002,000000F8,?,6C86AA8C,?,?,?), ref: 6C86AD68
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentThreadValue_vswprintf_s_wcslenswprintf
                                                                                                                                                                                  • String ID: [%d:%d:%d:%d(%d)]
                                                                                                                                                                                  • API String ID: 4177499147-3832470304
                                                                                                                                                                                  • Opcode ID: 3aa1d0d82f5e4076ea525b7c47dfea5601de0654e3bfda11fb4eeba51c35b8c6
                                                                                                                                                                                  • Instruction ID: 1e0506d28939549af1cabe20970138f53d0aa7d71946e002fe2348201e875ce6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3aa1d0d82f5e4076ea525b7c47dfea5601de0654e3bfda11fb4eeba51c35b8c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 80110A72200210AFC7328F6ACE88E9B77B9EF843267158D25F519D7F60DB35D8458790
                                                                                                                                                                                  Function 6C82498E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strcat_s.MSVCR100(6C825C30,6C825C0F,6C825C20,?,00000083,00000083,?,6C825C24,6C825C0F,6C825C30,00000002,6C825C30,6C825C0F,?,00000000,00000000), ref: 6C8249AD
                                                                                                                                                                                  • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000,6C825C0F,6C825C30,00000002,6C825C30,6C825C0F,?,00000000,00000000,00000005), ref: 6C850ACD
                                                                                                                                                                                  • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C850AD8
                                                                                                                                                                                  • _strcspn.LIBCMT(00000000,_.,,00000000,00000000,00000005), ref: 6C850AE6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __invoke_watson$_strcspnstrcat_s
                                                                                                                                                                                  • String ID: _.,
                                                                                                                                                                                  • API String ID: 4004410220-2709443920
                                                                                                                                                                                  • Opcode ID: d5f9822a9b0e775f20ab95ff9b31a9994e81d7a266f1a150528500b21423e11a
                                                                                                                                                                                  • Instruction ID: 2a8919f109a225dbd017ad362841c80981d1535aca26d767803a51e6bf6551e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: d5f9822a9b0e775f20ab95ff9b31a9994e81d7a266f1a150528500b21423e11a
                                                                                                                                                                                  • Instruction Fuzzy Hash: E0F024B29042097B8F200E2DAE808CF3B19FFC123C7114D36FD2891A02D775E0A69691
                                                                                                                                                                                  Function 6C894FED Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT(Attempted a typeid of NULL pointer!,6C8950C8,00000014), ref: 6C895008
                                                                                                                                                                                    • Part of subcall function 6C893564: std::exception::exception.LIBCMT(?,?,?,6C85B6BA,bad typeid), ref: 6C893570
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C82BEA4,6C8950C8,00000014), ref: 6C895016
                                                                                                                                                                                    • Part of subcall function 6C8377D4: RaiseException.KERNEL32(?,?,6C84F317,?,?,?,?,?,6C84F317,?,6C82BDD8,6C8C7580), ref: 6C837813
                                                                                                                                                                                  • std::bad_exception::bad_exception.LIBCMT(Bad read pointer - no RTTI data!,6C8950C8,00000014), ref: 6C895040
                                                                                                                                                                                    • Part of subcall function 6C893582: std::bad_exception::bad_exception.LIBCMT(?), ref: 6C89358D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Bad read pointer - no RTTI data!, xrefs: 6C895038
                                                                                                                                                                                  • Attempted a typeid of NULL pointer!, xrefs: 6C895000
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: std::bad_exception::bad_exception$Exception$RaiseThrowstd::exception::exception
                                                                                                                                                                                  • String ID: Attempted a typeid of NULL pointer!$Bad read pointer - no RTTI data!
                                                                                                                                                                                  • API String ID: 3174778160-236372618
                                                                                                                                                                                  • Opcode ID: 0272b47283f6bcded6c08f0863bff93c2fd4e15ba2291bfc2e40d895954a2c9b
                                                                                                                                                                                  • Instruction ID: d1a93b53387308c95edbda8cb76eee4d544f404c7d7ac7156c5b7a9d8448cbd3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0272b47283f6bcded6c08f0863bff93c2fd4e15ba2291bfc2e40d895954a2c9b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75F05E306023049ACB20CAACCB54ADDB3B46F0921AF504EA4E502A7B50C7359F08A7D2
                                                                                                                                                                                  Function 6C880446 Relevance: 7.6, APIs: 5, Instructions: 117stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strncmp.MSVCR100(?,?,00000000,00000080,00000080), ref: 6C880476
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strncmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1114863663-0
                                                                                                                                                                                  • Opcode ID: 7fa57c1b83a49c0074dfd75ef93246eb05ecc27c8c77189ceafccc20f183d79c
                                                                                                                                                                                  • Instruction ID: b27d08d65c84ba5902632568f6dbd94fe0c93b5625dec1ab0470d05c69b8ee18
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7fa57c1b83a49c0074dfd75ef93246eb05ecc27c8c77189ceafccc20f183d79c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0741D4704072D99BDB319E68C6507AD3BA0AF0232DF144B99E4B1ABDD1C735C685DBA0
                                                                                                                                                                                  Function 6C880D54 Relevance: 7.6, APIs: 5, Instructions: 111stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strncmp.MSVCR100(00000000,?,00000000,?,?), ref: 6C880D91
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?), ref: 6C880DB7
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?), ref: 6C880DC2
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?), ref: 6C880DE6
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,?), ref: 6C880DF1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo$_invalid_parameterstrncmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2244377858-0
                                                                                                                                                                                  • Opcode ID: 61910172b939837cbd4b9b63766d1c225393b54835ed180ac9bb7a565fc03428
                                                                                                                                                                                  • Instruction ID: b0f14337426ae44a57581a676e52838c3edc49877a0121d5370c42898b144726
                                                                                                                                                                                  • Opcode Fuzzy Hash: 61910172b939837cbd4b9b63766d1c225393b54835ed180ac9bb7a565fc03428
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5141D7319072D99BDB319E68C6407AA3BB0AF0232DF184B95E4F05BDE2D7348595C7A0
                                                                                                                                                                                  Function 6C866C9D Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(000000C0,1CE5184F), ref: 6C866CD2
                                                                                                                                                                                    • Part of subcall function 6C8202C1: malloc.MSVCR100(?), ref: 6C8202CC
                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 6C866DD3
                                                                                                                                                                                    • Part of subcall function 6C8697E4: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6C869848
                                                                                                                                                                                    • Part of subcall function 6C8697E4: GetLastError.KERNEL32 ref: 6C869855
                                                                                                                                                                                    • Part of subcall function 6C8697E4: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C86986D
                                                                                                                                                                                    • Part of subcall function 6C8697E4: _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000), ref: 6C86987B
                                                                                                                                                                                    • Part of subcall function 6C8697E4: GetLastError.KERNEL32 ref: 6C8698A2
                                                                                                                                                                                    • Part of subcall function 6C8697E4: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C8698BA
                                                                                                                                                                                    • Part of subcall function 6C8697E4: GetLastError.KERNEL32 ref: 6C8698DD
                                                                                                                                                                                    • Part of subcall function 6C8697E4: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C8698F5
                                                                                                                                                                                    • Part of subcall function 6C85867E: _memset.LIBCMT(?,00000000,0000000C,6C8586BD), ref: 6C858683
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C866D6A
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C866D83
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000), ref: 6C866D92
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLast$ExceptionThrow$??2@CreateEventMultipleObjectsWait_memsetmalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2739790103-0
                                                                                                                                                                                  • Opcode ID: b5802a31ba98b8ff9f4fcdedbf385ac5cdf09564d16a234c2fa5e88bdff5aaec
                                                                                                                                                                                  • Instruction ID: 931b5b2eb2c8e7937420d7ad95429704095db43e7b421fe2331a2f267c978e63
                                                                                                                                                                                  • Opcode Fuzzy Hash: b5802a31ba98b8ff9f4fcdedbf385ac5cdf09564d16a234c2fa5e88bdff5aaec
                                                                                                                                                                                  • Instruction Fuzzy Hash: DD418E71608341AFD720CF69C942B56BBF8FB89364F100A29F854D7B90DB71E948CB92
                                                                                                                                                                                  Function 6C82C656 Relevance: 7.6, APIs: 5, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _lock.MSVCR100(00000001,6C82C6A0,00000010,6C82C872,6C82C8B0,0000000C), ref: 6C82C66B
                                                                                                                                                                                    • Part of subcall function 6C820C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C8221A9,0000000D), ref: 6C820C5E
                                                                                                                                                                                  • _malloc_crt.MSVCR100(00000038,6C82C6A0,00000010,6C82C872,6C82C8B0,0000000C), ref: 6C848F66
                                                                                                                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0,6C82C6A0,00000010,6C82C872,6C82C8B0,0000000C), ref: 6C848F8E
                                                                                                                                                                                  • free.MSVCR100(029621C0), ref: 6C848FA0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$CountEnterInitializeSpin_lock_malloc_crtfree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 954917037-0
                                                                                                                                                                                  • Opcode ID: 59325be5d16c592debd4d6aaf687d23fdc4d11db2e64e6dd20e91e980a1aa4b9
                                                                                                                                                                                  • Instruction ID: cf9b22c4a3c3ac49068dd3e3ef5a062ec2c751669c4b6464f7b1eb6f3f8babd3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 59325be5d16c592debd4d6aaf687d23fdc4d11db2e64e6dd20e91e980a1aa4b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D31C2716042059FE730DF6DD688A69B7F0BF5A328B11492EE09597A52CB38E9C1DFC0
                                                                                                                                                                                  Function 00EE1CF0 Relevance: 7.6, APIs: 5, Instructions: 81threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00EE1B20: FindWindowA.USER32(RDMAppweb,RDMAppweb), ref: 00EE1B33
                                                                                                                                                                                    • Part of subcall function 00EE1B20: PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 00EE1B40
                                                                                                                                                                                    • Part of subcall function 00EE1B20: mprSleep.LIBMPR(00000064,00000000,?,?,?,00EE1F1A,00002710,00000000), ref: 00EE1B64
                                                                                                                                                                                    • Part of subcall function 00EE1B20: FindWindowA.USER32(RDMAppweb,RDMAppweb), ref: 00EE1B7C
                                                                                                                                                                                    • Part of subcall function 00EE1B20: TerminateProcess.KERNEL32(?,00000000,?,?,?,00EE1F1A,00002710,00000000), ref: 00EE1B9B
                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,?,?,?,?,00EE1EB9,00000001), ref: 00EE1D2A
                                                                                                                                                                                    • Part of subcall function 00EE1A00: SetServiceStatus.ADVAPI32(?,00EE6044,00EE1EFB), ref: 00EE1A51
                                                                                                                                                                                  • GetExitCodeThread.KERNEL32(?,?,?,?,?,?,?,00EE1EB9,00000001), ref: 00EE1D5E
                                                                                                                                                                                  • GetExitCodeThread.KERNEL32(?,00000005,?,?,?,?,?,?,00EE1EB9,00000001), ref: 00EE1D8E
                                                                                                                                                                                  • mprSleep.LIBMPR(00000064,00000000,?,?,?,?,?,?,00EE1EB9,00000001), ref: 00EE1D93
                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(?,00EE6044), ref: 00EE1DF5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CodeExitFindServiceSleepStatusThreadWindow$EventMessagePostProcessTerminate
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3207871257-0
                                                                                                                                                                                  • Opcode ID: 11e8d4fa3fcb626c33b10e82df0be4235e7590c675918911715a6628ef973c49
                                                                                                                                                                                  • Instruction ID: b1a51e185f6134fec956daa24ad359874c31d8f5904754be3df70cf8ceb24a1a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 11e8d4fa3fcb626c33b10e82df0be4235e7590c675918911715a6628ef973c49
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8931AC709043D89FC334CF17ECC4A6A3BB5EB903AAF108599F50AAB260C7759988CB51
                                                                                                                                                                                  Function 6C898A30 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileType.KERNEL32(?,?,?,6C898B48,0000000C), ref: 6C898A64
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6C898B48,0000000C), ref: 6C898A6E
                                                                                                                                                                                  • __dosmaperr.LIBCMT(00000000,?,?,6C898B48,0000000C), ref: 6C898A75
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C898B48,0000000C), ref: 6C898AA5
                                                                                                                                                                                  • __doserrno.MSVCR100(?,?,6C898B48,0000000C), ref: 6C898AB0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLastType__doserrno__dosmaperr_errno
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3203400888-0
                                                                                                                                                                                  • Opcode ID: 8d08ace52abbbd5f9a417c0c6b2c9667ed05ead2e7278f0d35072772bc46a319
                                                                                                                                                                                  • Instruction ID: 2316e1585d72d146882b40bd8e91221c6ff917b48551982b09f7cf825862fae2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d08ace52abbbd5f9a417c0c6b2c9667ed05ead2e7278f0d35072772bc46a319
                                                                                                                                                                                  • Instruction Fuzzy Hash: 192108705453469FCB218B7CC6057CDBBA0AF42328F188F66D4648B6E2D779C185DF82
                                                                                                                                                                                  Function 6C862FB8 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C862FBF
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000028,6C85F124,00000000,?,00000000,?,6C85CACE,?,00000000,00000000,?,?), ref: 6C862FCB
                                                                                                                                                                                  • ??_U@YAPAXI@Z.MSVCR100(00000000,?,?), ref: 6C862FF0
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C86304D
                                                                                                                                                                                  • ??_V@YAXPAX@Z.MSVCR100(?), ref: 6C86305B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$EnterH_prolog3Leave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4250467438-0
                                                                                                                                                                                  • Opcode ID: e2809d7ebbfa72073c70c5eeb82b8ad13eb7126de98b4f0b7b06bfe8170e7933
                                                                                                                                                                                  • Instruction ID: 4a7be8c2a475ad8a620894671427acdf98477457faca9a65385fae717b7271aa
                                                                                                                                                                                  • Opcode Fuzzy Hash: e2809d7ebbfa72073c70c5eeb82b8ad13eb7126de98b4f0b7b06bfe8170e7933
                                                                                                                                                                                  • Instruction Fuzzy Hash: CF21C330601A46DFDB28CB7AC685A6A77F4BF45304B204868E052DBE61DB34DD48C761
                                                                                                                                                                                  Function 6C87C90A Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$__mbsrtowcs_helper_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2140840981-0
                                                                                                                                                                                  • Opcode ID: ba04e9300f0a9c4809802428bf7184966f77a5d6c996245775e6baa33a4d1385
                                                                                                                                                                                  • Instruction ID: 8f80f458006a62e15719195c3bb50eaa3e7b3c474f4508e10f3421ceda8658b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: ba04e9300f0a9c4809802428bf7184966f77a5d6c996245775e6baa33a4d1385
                                                                                                                                                                                  • Instruction Fuzzy Hash: 911103315106159BCBB1BE2C8A0079F73A4EF81728F100E19ECA687A81F330E550C7A1
                                                                                                                                                                                  Function 6C830DAC Relevance: 7.6, APIs: 5, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _fileno.MSVCR100(?,?,?,6C831072,?,6C8310A8,0000000C,6C8310DE,Function_000113F7,?,?,00000000,?), ref: 6C830DB6
                                                                                                                                                                                  • _isatty.MSVCR100(00000000,?,?,?,6C831072,?,6C8310A8,0000000C,6C8310DE,Function_000113F7,?,?,00000000,?), ref: 6C830DBC
                                                                                                                                                                                  • __p__iob.MSVCR100(?,?,6C831072,?,6C8310A8,0000000C,6C8310DE,Function_000113F7,?,?,00000000,?), ref: 6C848A2D
                                                                                                                                                                                  • _malloc_crt.MSVCR100(00001000,?,?,?,?,6C831072,?,6C8310A8,0000000C,6C8310DE,Function_000113F7,?,?,00000000,?), ref: 6C848A71
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __p__iob_fileno_isatty_malloc_crt
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 301265415-0
                                                                                                                                                                                  • Opcode ID: 506aa6178428ece67331739103f80f8e0247f26965259b8e6170a3d1dcc44170
                                                                                                                                                                                  • Instruction ID: 2fa229296c8d7806f06cec8e82b34a429e67d5dbcb02aff1ed785d4da9d24e1d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 506aa6178428ece67331739103f80f8e0247f26965259b8e6170a3d1dcc44170
                                                                                                                                                                                  • Instruction Fuzzy Hash: FE1194B24087069ED330DF6A9A40687B7E8EB05398B109D3ED19AD2A00E3B4E4808BD1
                                                                                                                                                                                  Function 6C832904 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _fileno.MSVCR100(?,6C8329A0,00000008), ref: 6C832928
                                                                                                                                                                                  • _lock_file.MSVCR100(?,?,6C8329A0,00000008), ref: 6C832930
                                                                                                                                                                                    • Part of subcall function 6C82A557: _lock.MSVCR100(?,?,?,6C876EA0,00000040,6C876ED8,0000000C,6C848676,00000000,?), ref: 6C82A584
                                                                                                                                                                                    • Part of subcall function 6C82A665: _fileno.MSVCR100(?,?,?,?,?,?,?,6C82A900,?), ref: 6C82A694
                                                                                                                                                                                    • Part of subcall function 6C82A665: _write.MSVCR100(00000000,?,?,?,?,?,?,6C82A900,?), ref: 6C82A69B
                                                                                                                                                                                  • _lseek.MSVCR100(00000000,00000000,00000000,?,?,6C8329A0,00000008), ref: 6C83297D
                                                                                                                                                                                  • _errno.MSVCR100(6C8329A0,00000008), ref: 6C848E56
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(6C8329A0,00000008), ref: 6C848E61
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _fileno$_errno_invalid_parameter_noinfo_lock_lock_file_lseek_write
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2790466172-0
                                                                                                                                                                                  • Opcode ID: 42b637c4b169cded22260d5803d70070ecbfba7e26a9bc13f2b0b55d1c1db147
                                                                                                                                                                                  • Instruction ID: 13c2ea6e1bade6b676cbe075ade9df81d20ba362fb120f2f1c7c3586f55a9669
                                                                                                                                                                                  • Opcode Fuzzy Hash: 42b637c4b169cded22260d5803d70070ecbfba7e26a9bc13f2b0b55d1c1db147
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E110872101A604ED7304BAC8A85ADD77909F422387259F29D4798BAD1D73CA9454BD2
                                                                                                                                                                                  Function 6C82C830 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100(6C82C8B0,0000000C), ref: 6C82C8D6
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(6C82C8B0,0000000C), ref: 6C8494A7
                                                                                                                                                                                    • Part of subcall function 6C82C656: _lock.MSVCR100(00000001,6C82C6A0,00000010,6C82C872,6C82C8B0,0000000C), ref: 6C82C66B
                                                                                                                                                                                  • _errno.MSVCR100(6C82C8B0,0000000C), ref: 6C8494B3
                                                                                                                                                                                  • _errno.MSVCR100(6C82C8B0,0000000C), ref: 6C8494C0
                                                                                                                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT(6C8C3610,?,000000FE,6C82C8B0,0000000C), ref: 6C8494D6
                                                                                                                                                                                    • Part of subcall function 6C82C737: _wsopen_s.MSVCR100(?,?,00000000,?,00000180,00000000,?,?), ref: 6C82C801
                                                                                                                                                                                    • Part of subcall function 6C82C8CC: _unlock_file.MSVCR100(?,6C82C8A6), ref: 6C82C8CF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$CallFilterFunc@8_invalid_parameter_noinfo_lock_unlock_file_wsopen_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1609081514-0
                                                                                                                                                                                  • Opcode ID: 80b5c833544b11c6a7a4ea2ca9a934bb3f810acb1a4cff2ff9bd31fe4651aff1
                                                                                                                                                                                  • Instruction ID: e19327683b7714dcd1617f7da9f8429901b088495ab5df5f9070df79dad92b9f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 80b5c833544b11c6a7a4ea2ca9a934bb3f810acb1a4cff2ff9bd31fe4651aff1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5511BFB08402199EDB30AF6CCF445AE3AA5AF45324B25CE20D420CBB81E77DC9C49BD1
                                                                                                                                                                                  Function 6C86C86F Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6C8476A1,?,6C82B247,6C8220E0,00000008,6C822116,00000001,?), ref: 6C86C4DA
                                                                                                                                                                                  • free.MSVCR100(00000000,?,?,6C8476A1,?,6C82B247,6C8220E0,00000008,6C822116,00000001,?), ref: 6C86C4DD
                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(00000002,?,?,6C8476A1,?,6C82B247,6C8220E0,00000008,6C822116,00000001,?), ref: 6C86C504
                                                                                                                                                                                  • DecodePointer.KERNEL32(00000005,6C8476A1,?,6C82B247,6C8220E0,00000008,6C822116,00000001,?), ref: 6C86C880
                                                                                                                                                                                  • TlsFree.KERNEL32(00000002,6C8476A1,?,6C82B247,6C8220E0,00000008,6C822116,00000001,?), ref: 6C86C89E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalDeleteSection$DecodeFreePointerfree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1464103408-0
                                                                                                                                                                                  • Opcode ID: be904a4b3f316e8087718f52703cfce48e3bdbdb295d5ef16cbeb0a9f61e5061
                                                                                                                                                                                  • Instruction ID: a007727823c2de4d93afed144c77dc14b0cf9c76298daa86a897492f4af34d36
                                                                                                                                                                                  • Opcode Fuzzy Hash: be904a4b3f316e8087718f52703cfce48e3bdbdb295d5ef16cbeb0a9f61e5061
                                                                                                                                                                                  • Instruction Fuzzy Hash: B601DB31A01251ABDE30AB2D8E855A672F49B4273D7210F29E874D3D90C724CC86C650
                                                                                                                                                                                  Function 6C860EF9 Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32(?,00000000,00000000,000000FF), ref: 6C860F2A
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C860F31
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C860F4A
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(00000000,6C8BFEB4,00000000), ref: 6C860F59
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6C860F61
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionHandleLastMultipleObjectsThrowWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1291167946-0
                                                                                                                                                                                  • Opcode ID: db87ab364b84671bbd86cd2d026ab0f36b1dc6ddb784727cd3fa6094060652b9
                                                                                                                                                                                  • Instruction ID: c6311035b750f76c43e40e3a0457ad00fa55c0e02793d40b2010ff3acbc187fd
                                                                                                                                                                                  • Opcode Fuzzy Hash: db87ab364b84671bbd86cd2d026ab0f36b1dc6ddb784727cd3fa6094060652b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 750126326041456AC730567A8E44B56B3EC6B45338F140F35F578C2EC1EB34E40487A9
                                                                                                                                                                                  Function 6C82E651 Relevance: 7.5, APIs: 5, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2819658684-0
                                                                                                                                                                                  • Opcode ID: ac5993081b4231d703e568e51a09e3fc6d51bc96080e16c5721e07fe6a34f9c7
                                                                                                                                                                                  • Instruction ID: 71a6612e378d1ba25caf3768f69e6c98c13af89e48d936eafdabd98f997688fe
                                                                                                                                                                                  • Opcode Fuzzy Hash: ac5993081b4231d703e568e51a09e3fc6d51bc96080e16c5721e07fe6a34f9c7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7401627184122CAADB311EA88F04BDA3A589F4233DF104E55F8344ABE0D77A84948BE5
                                                                                                                                                                                  Function 6C832F0F Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _lock_file.MSVCR100(?,6C832F78,0000000C), ref: 6C832F3E
                                                                                                                                                                                    • Part of subcall function 6C82A557: _lock.MSVCR100(?,?,?,6C876EA0,00000040,6C876ED8,0000000C,6C848676,00000000,?), ref: 6C82A584
                                                                                                                                                                                  • _fread_nolock_s.MSVCR100(?,?,?,?,?,6C832F78,0000000C), ref: 6C832F56
                                                                                                                                                                                    • Part of subcall function 6C832E42: memcpy_s.MSVCR100(?,?,?,?), ref: 6C832EEB
                                                                                                                                                                                    • Part of subcall function 6C832A86: _unlock_file.MSVCR100(6C832F6D,6C832F6D), ref: 6C832A89
                                                                                                                                                                                  • _memset.LIBCMT(?,00000000,000000FF,?,?,6C832F78,0000000C), ref: 6C848D02
                                                                                                                                                                                  • _errno.MSVCR100(?,?,6C832F78,0000000C), ref: 6C848D0A
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,6C832F78,0000000C), ref: 6C848D15
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_fread_nolock_s_invalid_parameter_noinfo_lock_lock_file_memset_unlock_filememcpy_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3226975504-0
                                                                                                                                                                                  • Opcode ID: 60ad30449f507cdf23061ca55dcb168ff92bda383788515365faffb9d35c1640
                                                                                                                                                                                  • Instruction ID: 9138fd83ef1d18f57185fc587093209e743177549eec171e2e726298a4f45abd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 60ad30449f507cdf23061ca55dcb168ff92bda383788515365faffb9d35c1640
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1201407180121EEBCF319FA8CE085DE3B60BF04758F119935F82855AA1D73986A5EFD1
                                                                                                                                                                                  Function 6C82CA4F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _control87.MSVCR100(00000001,?,00000000,?,6C86CE9B,00000000,00010000,00030000,?,6C851D56,?,6C82B983,?,?,6C82B295,00000000), ref: 6C82CA7D
                                                                                                                                                                                  • _control87.MSVCR100(00000000,00000000,00000000,?,6C86CE9B,00000000,00010000,00030000,?,6C851D56,?,6C82B983,?,?,6C82B295,00000000), ref: 6C8524BB
                                                                                                                                                                                  • _errno.MSVCR100(00000000,?,6C86CE9B,00000000,00010000,00030000,?,6C851D56,?,6C82B983,?,?,6C82B295,00000000), ref: 6C8524C4
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(00000000,?,6C86CE9B,00000000,00010000,00030000,?,6C851D56,?,6C82B983,?,?,6C82B295,00000000), ref: 6C8524CE
                                                                                                                                                                                  • _control87.MSVCR100(00000001,?,00000000,?,6C86CE9B,00000000,00010000,00030000,?,6C851D56,?,6C82B983,?,?,6C82B295,00000000), ref: 6C8524DA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _control87$_errno_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1498936549-0
                                                                                                                                                                                  • Opcode ID: bf4e1a7da49c6d64d966f304bc058d75b43548e15341f806baddd6ebdcd0a6cc
                                                                                                                                                                                  • Instruction ID: e97f67604d79e1cf6b4c3f7dd1f7871ae29d2b0431089e19b9d508986e11bffa
                                                                                                                                                                                  • Opcode Fuzzy Hash: bf4e1a7da49c6d64d966f304bc058d75b43548e15341f806baddd6ebdcd0a6cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9BF0F0B26483246BE7346E7DAA09BEA3794DF00B64F148D29FD549B780DF78D88052D4
                                                                                                                                                                                  Function 6C87AFF1 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C87B00A
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C87B015
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C87B02D
                                                                                                                                                                                  • __localtime32_s.LIBCMT(?,?), ref: 6C87B03F
                                                                                                                                                                                    • Part of subcall function 6C879784: _errno.MSVCR100(?,?,?,?), ref: 6C8797A0
                                                                                                                                                                                    • Part of subcall function 6C879784: _invalid_parameter_noinfo.MSVCR100(?,?,?,?), ref: 6C8797AA
                                                                                                                                                                                  • __wasctime.LIBCMT(?), ref: 6C87B04E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$_invalid_parameter_noinfo$__localtime32_s__wasctime_invalid_parameter
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2302537511-0
                                                                                                                                                                                  • Opcode ID: ccf6d401a7d9515b2db6caec868d2b05f51e3044a5461bfb3030b02a9d522d1f
                                                                                                                                                                                  • Instruction ID: 0da6c64361e239baebbff19e00a22fa7cfa10b72556a6f7ac00f196dd43887ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: ccf6d401a7d9515b2db6caec868d2b05f51e3044a5461bfb3030b02a9d522d1f
                                                                                                                                                                                  • Instruction Fuzzy Hash: E4F06D71604208DECB349FADCA58BDE3BE89F4A318F040835D050DBA40FB34D9889A74
                                                                                                                                                                                  Function 6C81442D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 6C8144BD
                                                                                                                                                                                    • Part of subcall function 6C838900: __87except.LIBCMT ref: 6C83893B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorHandling__87except__start
                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                  • API String ID: 2905807303-2276729525
                                                                                                                                                                                  • Opcode ID: 2a12cb72aff3fc955fd9ebb9aec6c3d4fcbbcb285088454ba58062b62817aa33
                                                                                                                                                                                  • Instruction ID: 034c89184f679d4cdc4f21c6d14560b0ba9cbe40560a33f0e103409897a44bf4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a12cb72aff3fc955fd9ebb9aec6c3d4fcbbcb285088454ba58062b62817aa33
                                                                                                                                                                                  • Instruction Fuzzy Hash: B8515E71A0D10B86D7316B19CB0139B3BE4DBC375CF244E79E4E582E98DF358898CA86
                                                                                                                                                                                  Function 6C830A05 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo_strlen
                                                                                                                                                                                  • String ID: I
                                                                                                                                                                                  • API String ID: 1245117036-3707901625
                                                                                                                                                                                  • Opcode ID: 104c0a01e2b9b4bfe5cf8e790197371b81950b518ee4aa113952663ec273a45e
                                                                                                                                                                                  • Instruction ID: 824e2c07de02d8af9e13aa35a8d6071985fbe2439ece2fac8574bbb515c9f93d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 104c0a01e2b9b4bfe5cf8e790197371b81950b518ee4aa113952663ec273a45e
                                                                                                                                                                                  • Instruction Fuzzy Hash: B101A271C0025AABDF108FA8C804AEE7BB5BF44728F104A2AF424B6280D779C5418FE4
                                                                                                                                                                                  Function 00EE1F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegisterServiceCtrlHandlerA.ADVAPI32(?,Function_00001E70), ref: 00EE1F7F
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00EE2045), ref: 00EE1F90
                                                                                                                                                                                  • mprError.LIBMPR(Cannot register handler: 0x%x,00000000), ref: 00EE1F9C
                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(00000000,00EE6044), ref: 00EE1FF9
                                                                                                                                                                                  • SetServiceStatus.ADVAPI32(?,00EE6044), ref: 00EE2031
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot register handler: 0x%x, xrefs: 00EE1F97
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Service$ErrorStatus$CtrlHandlerLastRegister
                                                                                                                                                                                  • String ID: Cannot register handler: 0x%x
                                                                                                                                                                                  • API String ID: 1350019001-3203017252
                                                                                                                                                                                  • Opcode ID: c9633f3ea03aa1efbfdd9b291172294c736d9c5f76a3b00bbe00798e3d491fd4
                                                                                                                                                                                  • Instruction ID: 1ad7f210954480e1ff16d68db506742e8c51903da7fbbc71d72bea81a7d30966
                                                                                                                                                                                  • Opcode Fuzzy Hash: c9633f3ea03aa1efbfdd9b291172294c736d9c5f76a3b00bbe00798e3d491fd4
                                                                                                                                                                                  • Instruction Fuzzy Hash: A9E0C2B19002A89FC230EBA3FC898A977A8EB083913011461F402F6160C330898CC691
                                                                                                                                                                                  Function 6C89E9F4 Relevance: 6.3, APIs: 4, Instructions: 279COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C89EA0F
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C89EA1A
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _errno.MSVCR100 ref: 6C89EA33
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100 ref: 6C89EA3E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1328987296-0
                                                                                                                                                                                  • Opcode ID: 8dbf596d3a0d2537a024ccf3c58277b8f47f141a5c8f322144fc1925e4b4baf9
                                                                                                                                                                                  • Instruction ID: f25d33716d4418ae40cce1867ae28298e3d8cb7517bf8c988f681cf87f2379fe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8dbf596d3a0d2537a024ccf3c58277b8f47f141a5c8f322144fc1925e4b4baf9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93A13431A042599FCB21CF6D8A805DE7FB6BF9A308F188969FC55A7744E230D951CBE0
                                                                                                                                                                                  Function 6C8246C1 Relevance: 6.3, APIs: 4, Instructions: 262COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2959964966-0
                                                                                                                                                                                  • Opcode ID: 0f7806659183300477434c852ae5586eb72dadc6bc092987c5a806937287d50d
                                                                                                                                                                                  • Instruction ID: 693d1870a10c46f147811ac108347d293183f02d79369e87aaf3a07240d2771e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f7806659183300477434c852ae5586eb72dadc6bc092987c5a806937287d50d
                                                                                                                                                                                  • Instruction Fuzzy Hash: F6915834A082A98FCF218F688A8859D7B75EFCA309F144855ECA497700D7389D90CFF1
                                                                                                                                                                                  Function 6C856CDB Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??_U@YAPAXI@Z.MSVCR100(00000000,00000000), ref: 6C856DB6
                                                                                                                                                                                  • _memset.LIBCMT(00000000,00000000,?,00000000,00000000), ref: 6C856DC9
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,00000000), ref: 6C856DD0
                                                                                                                                                                                  • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,00000000), ref: 6C856E1B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4058414921-0
                                                                                                                                                                                  • Opcode ID: 8a8e85d4cc88f67032dec752c3637cf254629f84b124e337e5fe8da74d4f25a8
                                                                                                                                                                                  • Instruction ID: 4b3b038c33fc2040718a321d42562696723f48c8613ecddbe4195149976ae0ba
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a8e85d4cc88f67032dec752c3637cf254629f84b124e337e5fe8da74d4f25a8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 59519A30505301CFD765CF29C681616B7E0FF89329F508E6DE4AA8BB91D771E845CB92
                                                                                                                                                                                  Function 6C858F20 Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??_U@YAPAXI@Z.MSVCR100(00000000,6C860AF2), ref: 6C858FFA
                                                                                                                                                                                  • _memset.LIBCMT(00000000,00000000,?,00000000,6C860AF2), ref: 6C85900D
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(0000000C,00000000,00000000,?,00000000,6C860AF2), ref: 6C859014
                                                                                                                                                                                  • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR100(?,?,?,?,?,6C860AF2), ref: 6C85905F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Spin$??2@Concurrency@@Once@?$_Wait@$00@details@_memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4058414921-0
                                                                                                                                                                                  • Opcode ID: 2610667b8e79ecf0bdd4503e133bfe8a4fa89606bd419d7e3d72ca45de54ca5a
                                                                                                                                                                                  • Instruction ID: 8e2f77fc884c02c2fe187fc0ef151ae128406ff86e6e29fc94683be2f8be3cac
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2610667b8e79ecf0bdd4503e133bfe8a4fa89606bd419d7e3d72ca45de54ca5a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0951A070108301CFD765CF29C680716B3E0FF89328F548E6EE4AA8BA95D771E845CB92
                                                                                                                                                                                  Function 6C860F74 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,762330B0,?,?,6C860F1D,00000000), ref: 6C860F8C
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCR100(?,?,?,6C860F1D,00000000), ref: 6C86106D
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,6C860F1D,00000000), ref: 6C86107A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$??3@EnterLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3906572401-0
                                                                                                                                                                                  • Opcode ID: 3d1c4436ba1e6a4844e005f7a461c94840cd52afab9b5baa9e2fdec76c509e9d
                                                                                                                                                                                  • Instruction ID: f281ba718de39302c919208430c33eba1dca6927c69abafb08ea7aafa04f6b96
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d1c4436ba1e6a4844e005f7a461c94840cd52afab9b5baa9e2fdec76c509e9d
                                                                                                                                                                                  • Instruction Fuzzy Hash: C3418D74604685DFCB34CF26C280A96B3F4FF09304B108E69E99A8BE12E731E944DB95
                                                                                                                                                                                  Function 6C8685DB Relevance: 6.1, APIs: 4, Instructions: 108threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 6C8685EB
                                                                                                                                                                                  • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C868620
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(6C8538B0,6C8BFE78,?,?), ref: 6C86862E
                                                                                                                                                                                  • std::exception::exception.LIBCMT(?,?), ref: 6C868703
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Concurrency::unsupported_os::unsupported_osCurrentExceptionThreadThrowstd::exception::exception
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1840351702-0
                                                                                                                                                                                  • Opcode ID: 09eed4cadbf23c9600d67f078b505ab6619176da340c31c5d6ba761610a4acfc
                                                                                                                                                                                  • Instruction ID: 61fd55fd6f6626008eedec7cf8b24dbc006109942b7378b19519f8c51b9e49fb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 09eed4cadbf23c9600d67f078b505ab6619176da340c31c5d6ba761610a4acfc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8041C131505245DFDF31CF5AC388699BBB0AF02318F144CAAD89A6BE52C770ED89CB91
                                                                                                                                                                                  Function 6C82EF9C Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __isctype_l.LIBCMT(7FFFFFFF,00000001,00000000,00000099,7FFFFFFF,00000000,00000000,00000000,00000000,00000099,7FFFFFFF,00000000), ref: 6C84A2E4
                                                                                                                                                                                  • _isleadbyte_l.MSVCR100(00000008,00000000,00000099,7FFFFFFF,00000000,00000000,00000000,00000000,00000099), ref: 6C84A320
                                                                                                                                                                                  • __crtLCMapStringA.MSVCR100(00000000,?,00000100,00000000,00000001,7FFFFFFF,00000003,?,00000001,00000099,7FFFFFFF,00000000,00000000,00000000,00000000,00000099), ref: 6C84A36D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: String__crt__isctype_l_isleadbyte_l
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 150061899-0
                                                                                                                                                                                  • Opcode ID: f7d9de18de3688a9384fe264b6b44a006c77173d38ef939bd1b8464381d42120
                                                                                                                                                                                  • Instruction ID: 0cb3ede7153d9e99506fc7fab593bac6a01bd0c4eda9a0470828199a23b69cae
                                                                                                                                                                                  • Opcode Fuzzy Hash: f7d9de18de3688a9384fe264b6b44a006c77173d38ef939bd1b8464381d42120
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F31283190824DAFDB21CBA8C949FEE7F74AB01308F0448A9E4549F6C2D779D585CBE1
                                                                                                                                                                                  Function 6C856508 Relevance: 6.1, APIs: 4, Instructions: 91sleepCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ?_SpinOnce@?$_SpinWait@$0A@@details@Concurrency@@QAE_NXZ.MSVCR100(6C856670,0000002C,6C8569F9,00000000,-00000004,-00000004,00000000,00000000,?,6C85F96F,?,?,6C859C78,?), ref: 6C85652C
                                                                                                                                                                                    • Part of subcall function 6C856E51: _SpinWait.LIBCMT(00000FA0,00000FA0,?,6C85AD21,00000000), ref: 6C856E6B
                                                                                                                                                                                  • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR100(6C856670,0000002C,6C8569F9,00000000,-00000004,-00000004,00000000,00000000,?,6C85F96F,?,?,6C859C78,?), ref: 6C856572
                                                                                                                                                                                  • ?_TryAcquireWrite@_ReaderWriterLock@details@Concurrency@@QAE_NXZ.MSVCR100(6C856670,0000002C,6C8569F9,00000000,-00000004,-00000004,00000000,00000000,?,6C85F96F,?,?,6C859C78,?), ref: 6C8565C2
                                                                                                                                                                                  • Sleep.KERNEL32(00000001,6C856670,0000002C,6C8569F9,00000000,-00000004,-00000004,00000000,00000000,?,6C85F96F,?,?,6C859C78,?), ref: 6C8565E2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Concurrency@@Spin$AcquireLock@details@ReaderWrite@_Writer$A@@details@Once@?$_SleepWaitWait@$0
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 947146699-0
                                                                                                                                                                                  • Opcode ID: 248b6d00408d211b50bd0f2cd6ea065b125501a09d44ad743d34f0a8475835e6
                                                                                                                                                                                  • Instruction ID: 5c190bae6d2bac806720be8b76d352b28905ab619a0fae9efd6e27b52fd582da
                                                                                                                                                                                  • Opcode Fuzzy Hash: 248b6d00408d211b50bd0f2cd6ea065b125501a09d44ad743d34f0a8475835e6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 77418971A40748CFDB60CFA8C6443DEBBF0AF14319F940929C411A7B89C7B5E968CBA0
                                                                                                                                                                                  Function 6C82489C Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2959964966-0
                                                                                                                                                                                  • Opcode ID: c3d6eaa9eee9f134ec7c17922ac70990d059539d88e92a874fd5c09d6225e68c
                                                                                                                                                                                  • Instruction ID: b5d6d8ca71f7d3bc3df22fe26c3b97572eab2a5dbbbfe4c0a6592a6786ca5503
                                                                                                                                                                                  • Opcode Fuzzy Hash: c3d6eaa9eee9f134ec7c17922ac70990d059539d88e92a874fd5c09d6225e68c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D210775A112798BDB34CF29CA006B633B0FFD2B58B254959E8918BB50E33999C097F0
                                                                                                                                                                                  Function 6C836D21 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002,?,?,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C836D8E
                                                                                                                                                                                  • _get_osfhandle.MSVCR100(?,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C836D98
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C836D9F
                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C836DA6
                                                                                                                                                                                    • Part of subcall function 6C82A78A: _get_osfhandle.MSVCR100(?,?,?,?,6C82A865,?,6C82A880,00000010), ref: 6C82A795
                                                                                                                                                                                    • Part of subcall function 6C82A78A: _get_osfhandle.MSVCR100(?), ref: 6C82A7B8
                                                                                                                                                                                    • Part of subcall function 6C82A78A: CloseHandle.KERNEL32(00000000), ref: 6C82A7BF
                                                                                                                                                                                  • _errno.MSVCR100(?,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C850539
                                                                                                                                                                                  • __doserrno.MSVCR100(?,00000000,?,?,?,6C836CEC,?,?,6C836D08,00000010), ref: 6C850544
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4219055303-0
                                                                                                                                                                                  • Opcode ID: f7d9a1f7ff2ea8e85856dc5de42ea60c6d5a054eed7c2c68d13bdac904572336
                                                                                                                                                                                  • Instruction ID: 9a7ee0d03d7c9df098014c87fbb6bca510ba13d1ee5a4e48d2b23b239696434f
                                                                                                                                                                                  • Opcode Fuzzy Hash: f7d9a1f7ff2ea8e85856dc5de42ea60c6d5a054eed7c2c68d13bdac904572336
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF314032204285AFDB11CFA8C9C8AD13BF5EF0A30CF6045A8E944CF662D771EA05CB80
                                                                                                                                                                                  Function 6C86CB67 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _mbspbrk.MSVCR100(?,6C86CC20,?,00000000,6C86C07C,?,?,?,?,?,?,6C847432), ref: 6C86CB8B
                                                                                                                                                                                  • _match.LIBCMT ref: 6C86CB98
                                                                                                                                                                                  • _calloc_crt.MSVCR100(00000004,00000002,?,00000000,6C86C07C,?,?,?,?,?,?,6C847432), ref: 6C86CBCC
                                                                                                                                                                                  • free.MSVCR100(?,?,00000000,6C86C07C,?,?,?,?,?,?,6C847432), ref: 6C86CC08
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _calloc_crt_match_mbspbrkfree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 518297505-0
                                                                                                                                                                                  • Opcode ID: 1eee31de6c526e925ec9c3110e4b1ce2412ddd01e9d5bf351b5358916b4bbf93
                                                                                                                                                                                  • Instruction ID: 4e3b6779f01642d0b57cb19fb15edb10def4ee15f0ce5f0e62902cdf1f63ec39
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1eee31de6c526e925ec9c3110e4b1ce2412ddd01e9d5bf351b5358916b4bbf93
                                                                                                                                                                                  • Instruction Fuzzy Hash: F1116072704910ABCF32AF6E9A40446BBF5EB8A7283354D7AD4A5D7E52DA319C8187C0
                                                                                                                                                                                  Function 6C868EC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(00000010), ref: 6C868F10
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C868F1C
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C868F33
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(00000000,6C8C00DC), ref: 6C868F4A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastThrow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 887365526-0
                                                                                                                                                                                  • Opcode ID: 8fcbafd1fd4e883818457572e0b53c887183ca2a74dea48625335f5ab5068189
                                                                                                                                                                                  • Instruction ID: ec9dbc6cabc0c6760d765b4eb571eef71bc7023f451274b81ae738c3d236bd80
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fcbafd1fd4e883818457572e0b53c887183ca2a74dea48625335f5ab5068189
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5021C2716106059BD760CB7ACA44B9A37F4AF16328F104E7AA82DDBEC0E774E504CBD0
                                                                                                                                                                                  Function 6C860B09 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • TlsSetValue.KERNEL32(?,?,00000000,?,?,?,6C860A36,00000000,00000001,?,?,6C860A58), ref: 6C860B2B
                                                                                                                                                                                  • QueryDepthSList.KERNEL32(?,?,00000000,?,?,?,6C860A36,00000000,00000001,?,?,6C860A58), ref: 6C860B3F
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,6C860A36,00000000,00000001,?,?,6C860A58), ref: 6C860B61
                                                                                                                                                                                  • InterlockedPushEntrySList.KERNEL32(?,-00000004,?,?,?,6C860A36,00000000,00000001,?,?,6C860A58), ref: 6C860B79
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: List$CloseDepthEntryHandleInterlockedPushQueryValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 94243546-0
                                                                                                                                                                                  • Opcode ID: 11638455a8d6ee5714b33c27a1efc13b0a50622e6aef75e0db7de28585b7d0bc
                                                                                                                                                                                  • Instruction ID: c95acf6eeaf2d5a4c65f6e2f3be1a8ea7de1d9ebfb3c4b60d41948745e991435
                                                                                                                                                                                  • Opcode Fuzzy Hash: 11638455a8d6ee5714b33c27a1efc13b0a50622e6aef75e0db7de28585b7d0bc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F21D671601254ABDB208F25C588B9E77F8EF41329F144869E85ACBA40DB70E948CB94
                                                                                                                                                                                  Function 6C82CD87 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _lock_file.MSVCR100(?,6C82CE28,00000014), ref: 6C82CDD4
                                                                                                                                                                                    • Part of subcall function 6C82A557: _lock.MSVCR100(?,?,?,6C876EA0,00000040,6C876ED8,0000000C,6C848676,00000000,?), ref: 6C82A584
                                                                                                                                                                                  • _fgetwc_nolock.MSVCR100(?,?,?,6C82CE28,00000014), ref: 6C82CDE9
                                                                                                                                                                                  • _errno.MSVCR100(6C82CE28,00000014), ref: 6C832E04
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(6C82CE28,00000014), ref: 6C8486B0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_fgetwc_nolock_invalid_parameter_noinfo_lock_lock_file
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3916178533-0
                                                                                                                                                                                  • Opcode ID: 4c6a6dc1615af343e86d24ae6b60eb5ae7b2985d357cd9b25ce4227aa6c09d67
                                                                                                                                                                                  • Instruction ID: 21f265488499b47677a9ef2bea9e5f2ed8db9a78934f80daf78ee8a76fae4ed8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c6a6dc1615af343e86d24ae6b60eb5ae7b2985d357cd9b25ce4227aa6c09d67
                                                                                                                                                                                  • Instruction Fuzzy Hash: 601184719012599FDB70AFA9C7880AD76A0AF44328B209C3AD468D7A82D33CC9C59BC1
                                                                                                                                                                                  Function 6C822B2A Relevance: 6.1, APIs: 4, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_memset_msizerealloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1728161066-0
                                                                                                                                                                                  • Opcode ID: 5429b36844b1c51c28563ff91aa890585944cbb2be13d04acb69f0e001fb0dba
                                                                                                                                                                                  • Instruction ID: 9a6f21f6bdab993ae6d0ba8428952a359e62dd1dc44277f83f983fd150cfa0fb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5429b36844b1c51c28563ff91aa890585944cbb2be13d04acb69f0e001fb0dba
                                                                                                                                                                                  • Instruction Fuzzy Hash: E2F02637614216BFD7344D699DCCD9A7B59EBC1278F244D3AE50886A50DA3D888481D0
                                                                                                                                                                                  Function 6C86AAC5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6C86ACEA: GetCurrentThreadId.KERNEL32 ref: 6C86AD16
                                                                                                                                                                                    • Part of subcall function 6C86ACEA: swprintf.LIBCMT(?,00000401,[%d:%d:%d:%d(%d)] ,00000000,?,6C86AA8C,?,?,?), ref: 6C86AD40
                                                                                                                                                                                    • Part of subcall function 6C86ACEA: _vswprintf_s.LIBCMT(00000401,00000401,?,6C86AA8C,?,00000002,000000F8,?,6C86AA8C,?,?,?), ref: 6C86AD62
                                                                                                                                                                                    • Part of subcall function 6C86ACEA: _wcslen.LIBCMT(?,00000401,00000401,?,6C86AA8C,?,00000002,000000F8,?,6C86AA8C,?,?,?), ref: 6C86AD68
                                                                                                                                                                                  • _fwprintf.LIBCMT(6C8C2048,?), ref: 6C86AB11
                                                                                                                                                                                    • Part of subcall function 6C8749A4: _errno.MSVCR100(6C874A30,0000000C,6C86A97A,?), ref: 6C8749C0
                                                                                                                                                                                    • Part of subcall function 6C8749A4: _invalid_parameter_noinfo.MSVCR100(6C874A30,0000000C,6C86A97A,?), ref: 6C8749CB
                                                                                                                                                                                  • __aullrem.LIBCMT ref: 6C86AB28
                                                                                                                                                                                  • fflush.MSVCR100(00000032,00000000), ref: 6C86AB45
                                                                                                                                                                                    • Part of subcall function 6C82FECF: _lock_file.MSVCR100(?,6C82FF18,0000000C), ref: 6C82FEE9
                                                                                                                                                                                    • Part of subcall function 6C82FECF: _fflush_nolock.MSVCR100(?,6C82FF18,0000000C), ref: 6C82FEF5
                                                                                                                                                                                  • OutputDebugStringW.KERNEL32(?), ref: 6C86AB54
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentDebugOutputStringThread__aullrem_errno_fflush_nolock_fwprintf_invalid_parameter_noinfo_lock_file_vswprintf_s_wcslenfflushswprintf
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2952570019-0
                                                                                                                                                                                  • Opcode ID: 3d1124a442c65b92eeeb82978e3e17c0c470a7e3687e8585e1eebdf33f50a986
                                                                                                                                                                                  • Instruction ID: 07d6be761cb470d0a6a1e2d56e9aecc521e65d3088230e9b844c6a3dede0cb3f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d1124a442c65b92eeeb82978e3e17c0c470a7e3687e8585e1eebdf33f50a986
                                                                                                                                                                                  • Instruction Fuzzy Hash: FD115E31A00248AFDFA5CF65CD49BD977B9FB5530CF104479E845D6940EB319B88CB94
                                                                                                                                                                                  Function 6C860A85 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6C860376: TlsGetValue.KERNEL32(6C865D05,?,00000000,?,6C855C86,00000001), ref: 6C86037C
                                                                                                                                                                                  • Concurrency::unsupported_os::unsupported_os.LIBCMT(?,00000000,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C860AAB
                                                                                                                                                                                    • Part of subcall function 6C85816F: std::exception::exception.LIBCMT(?,00000000,?,?,6C860AB0,?,00000000), ref: 6C858183
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFFD4,?,00000000,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C860AB9
                                                                                                                                                                                    • Part of subcall function 6C8377D4: RaiseException.KERNEL32(?,?,6C84F317,?,?,?,?,?,6C84F317,?,6C82BDD8,6C8C7580), ref: 6C837813
                                                                                                                                                                                  • TlsSetValue.KERNEL32(00000000), ref: 6C860AD4
                                                                                                                                                                                  • TlsSetValue.KERNEL32(00000000,?,?,?,?,00000000,?,6C855C86,00000001), ref: 6C860AFE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$Exception$Concurrency::unsupported_os::unsupported_osRaiseThrowstd::exception::exception
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1973407479-0
                                                                                                                                                                                  • Opcode ID: 0573054c5e8f1522087af516f56f3098800805efd8b9ad92c2cc37e8724c0d84
                                                                                                                                                                                  • Instruction ID: f0a5e3735102e038f11fd5ee1388dfc57ad428d1a1ce88e7f63fdcb7b0cd4a65
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0573054c5e8f1522087af516f56f3098800805efd8b9ad92c2cc37e8724c0d84
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0001D4316002046FDB32DB6ACA40A9EFBB5EF41398B010976E11993F50DF70E919CBC8
                                                                                                                                                                                  Function 6C858C86 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6C860376: TlsGetValue.KERNEL32(6C865D05,?,00000000,?,6C855C86,00000001), ref: 6C86037C
                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 6C858CD8
                                                                                                                                                                                  • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C858CEA
                                                                                                                                                                                    • Part of subcall function 6C856B4E: _memset.LIBCMT(?,00000000,0000003E,00000002,6C860AF2), ref: 6C856B6D
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEEC), ref: 6C858CF8
                                                                                                                                                                                  • Concurrency::unsupported_os::unsupported_os.LIBCMT ref: 6C858D00
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Concurrency::unsupported_os::unsupported_os$EventExceptionThrowValue_memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3607046972-0
                                                                                                                                                                                  • Opcode ID: 91a40c339e84f3e0122ed0b025a077f2ffb0d0467751b19787bdb46a1bdca981
                                                                                                                                                                                  • Instruction ID: b25f01c2ec6caf19d3d2ba1e280cc7fe1180258acf9447f176ac8e4428a407da
                                                                                                                                                                                  • Opcode Fuzzy Hash: 91a40c339e84f3e0122ed0b025a077f2ffb0d0467751b19787bdb46a1bdca981
                                                                                                                                                                                  • Instruction Fuzzy Hash: F8014C748521006BD7B0A738CA44E99BBB9AB41318F554D7BD865D3A90DFB0E918C790
                                                                                                                                                                                  Function 6C824E90 Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _getptd.MSVCR100(6C824EF0,0000000C,6C849FD5,?,?,6C829233,?), ref: 6C824E9C
                                                                                                                                                                                  • _lock.MSVCR100(0000000C), ref: 6C824EB3
                                                                                                                                                                                    • Part of subcall function 6C820C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C8221A9,0000000D), ref: 6C820C5E
                                                                                                                                                                                    • Part of subcall function 6C824F0C: _unlock.MSVCR100(0000000C,6C824EDD), ref: 6C824F0E
                                                                                                                                                                                  • _getptd.MSVCR100 ref: 6C850771
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _getptd$CriticalEnterSection_lock_unlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2319614578-0
                                                                                                                                                                                  • Opcode ID: 808491bbe12dd203b3185712b3944149e80003cee490ab3e20b4d898c82095d0
                                                                                                                                                                                  • Instruction ID: 2498e7ddedbc1c0d3b9dddf3e5ca29980a54b0bdf38b99e6b3dd5b6aceb6efb7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 808491bbe12dd203b3185712b3944149e80003cee490ab3e20b4d898c82095d0
                                                                                                                                                                                  • Instruction Fuzzy Hash: D501B171905254DAD734AB6C970DBC937E0AF8132CF114E64D41057E81CB699989DBD1
                                                                                                                                                                                  Function 6C872A9D Relevance: 6.0, APIs: 4, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100(00000000,00000000,?,6C872C13,?,000000FF,?,00000000,00000000), ref: 6C872AAA
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(00000000,00000000,?,6C872C13,?,000000FF,?,00000000,00000000), ref: 6C872AB5
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • free.MSVCR100(00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C872AF9
                                                                                                                                                                                  • free.MSVCR100(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C872B01
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$_errno_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4554520-0
                                                                                                                                                                                  • Opcode ID: 7489f14a858a2df1f135fe11fdccf1669d527d62b1b11e8f728a0b8671d5f736
                                                                                                                                                                                  • Instruction ID: 84d9fd9030d77ec32ecf100a43c8aee1959e5db8aede8a3a50a61a740145a015
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7489f14a858a2df1f135fe11fdccf1669d527d62b1b11e8f728a0b8671d5f736
                                                                                                                                                                                  • Instruction Fuzzy Hash: E1016271800118FFCF215F98CD05ADE7A75AF0436CF104660F529595A0E7758A94DBE0
                                                                                                                                                                                  Function 6C89ED88 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,6C89DA01,00000000,?,00000000), ref: 6C89ED96
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,6C89DA01,00000000,?,00000000), ref: 6C89EDA0
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • strncpy_s.MSVCR100(?,?,00000000,?,?,?,?,6C89DA01,00000000,?,00000000), ref: 6C89EDC4
                                                                                                                                                                                  • __invoke_watson.LIBCMT(00000000,00000000,00000000,00000000,00000000), ref: 6C89EDD5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __invoke_watson_errno_invalid_parameter_invalid_parameter_noinfostrncpy_s
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 466175969-0
                                                                                                                                                                                  • Opcode ID: 6d05f789b68c352af06443d823bdcf71e5514fbee980b87ed8ca33245b93062a
                                                                                                                                                                                  • Instruction ID: b80b92971e2231c461aa8e47d0bd42c993bee1784c24907f5b5748b9be557b52
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d05f789b68c352af06443d823bdcf71e5514fbee980b87ed8ca33245b93062a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AF0A0325001286EAB316A6EDD048EF3F6DEBC16A9B110831F92C86A50EB32994587E0
                                                                                                                                                                                  Function 6C86AC51 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,-00000018,6C860ED5,00010000,?), ref: 6C86AC8D
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6C86AC97
                                                                                                                                                                                  • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C86ACAF
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(?,6C8BFEB4,00000000), ref: 6C86ACBD
                                                                                                                                                                                    • Part of subcall function 6C86ABC4: GetModuleHandleA.KERNEL32(00000000), ref: 6C86ABDB
                                                                                                                                                                                    • Part of subcall function 6C86ABC4: GetModuleFileNameW.KERNEL32(6C810000,?,00000104), ref: 6C86ABF7
                                                                                                                                                                                    • Part of subcall function 6C86ABC4: LoadLibraryW.KERNEL32(?), ref: 6C86AC08
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Module$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorExceptionFileHandleLastLibraryLoadNameThreadThrow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 488853443-0
                                                                                                                                                                                  • Opcode ID: 79c44cdab84581e6c0021dccb14f885dbfd227eef37a78304b026d5671f40b18
                                                                                                                                                                                  • Instruction ID: e1d6c823df863197332ec0c95b08c246dc3a8e4b82709aa821d512d95caa6167
                                                                                                                                                                                  • Opcode Fuzzy Hash: 79c44cdab84581e6c0021dccb14f885dbfd227eef37a78304b026d5671f40b18
                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF0C231600106AFCF649FA5CE06BEA3B68AF04708F15083CF517D6A51DB34C9189BA5
                                                                                                                                                                                  Function 6C866E7A Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C866E81
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,00000008,6C8692D1), ref: 6C866E93
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCR100(00000038), ref: 6C866EBB
                                                                                                                                                                                    • Part of subcall function 6C85B834: __EH_prolog3.LIBCMT ref: 6C85B83B
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 6C866EDB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalH_prolog3Section$??2@EnterLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3492688627-0
                                                                                                                                                                                  • Opcode ID: ead0980cd6c32439a3c3d06df21877a74becb910a62bd738da31de2bc9702543
                                                                                                                                                                                  • Instruction ID: 1a8782cd89e350f04775ccafc76c9b637a33297e62109212b3450761bcc47311
                                                                                                                                                                                  • Opcode Fuzzy Hash: ead0980cd6c32439a3c3d06df21877a74becb910a62bd738da31de2bc9702543
                                                                                                                                                                                  • Instruction Fuzzy Hash: 67F08C709023949EEB30DB6ACB8979A76F4AB0531DF508C79D056D2F40DBB8D688CB51
                                                                                                                                                                                  Function 6C820841 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$_invalid_parameter_noinfo_memmove
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3898388434-0
                                                                                                                                                                                  • Opcode ID: 2e998d1568a2c84ccd5ed2564f24117d1b0d34df2c28f38bec209859c6260524
                                                                                                                                                                                  • Instruction ID: a034143154af84f75ea8472bf484baad703977f68e76671930bb4ac619de869e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e998d1568a2c84ccd5ed2564f24117d1b0d34df2c28f38bec209859c6260524
                                                                                                                                                                                  • Instruction Fuzzy Hash: FBF0E27114535DEFDB319E5CAF4C7DA3798AB05768F118835F80486A54EB78C884CAE1
                                                                                                                                                                                  Function 6C832543 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _lock.MSVCR100(00000007,6C832598,0000000C), ref: 6C832561
                                                                                                                                                                                    • Part of subcall function 6C820C43: EnterCriticalSection.KERNEL32(00000001,00000001,?,6C8221A9,0000000D), ref: 6C820C5E
                                                                                                                                                                                    • Part of subcall function 6C8326C3: wcsnlen.MSVCR100(?,00007FFF,?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C8326ED
                                                                                                                                                                                    • Part of subcall function 6C8326C3: wcsnlen.MSVCR100(?,00007FFF,?,00007FFF,?,?,?,00000007,00000007,?,6C832576,?,?,6C832598,0000000C), ref: 6C8326F8
                                                                                                                                                                                    • Part of subcall function 6C8326C3: _calloc_crt.MSVCR100(00000002,00000002), ref: 6C832717
                                                                                                                                                                                    • Part of subcall function 6C8326C3: wcscpy_s.MSVCR100(00000000,00000002,?), ref: 6C83272E
                                                                                                                                                                                    • Part of subcall function 6C8326C3: wcscpy_s.MSVCR100(?,00000002,?,00000000,00000002,?), ref: 6C83274B
                                                                                                                                                                                    • Part of subcall function 6C8326C3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C832789
                                                                                                                                                                                    • Part of subcall function 6C8326C3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C8327A5
                                                                                                                                                                                    • Part of subcall function 6C8326C3: _calloc_crt.MSVCR100(00000000,00000001), ref: 6C8327B2
                                                                                                                                                                                  • _errno.MSVCR100(6C832598,0000000C), ref: 6C8510A2
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(6C832598,0000000C), ref: 6C8510AC
                                                                                                                                                                                  • _errno.MSVCR100(6C832598,0000000C), ref: 6C8510B8
                                                                                                                                                                                    • Part of subcall function 6C83253A: _unlock.MSVCR100(00000007,6C83258F,6C832598,0000000C), ref: 6C83253C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide_calloc_crt_errnowcscpy_swcsnlen$CriticalEnterSection_invalid_parameter_noinfo_lock_unlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 813033701-0
                                                                                                                                                                                  • Opcode ID: d8023a19385abdfc580d5b95f63bdec096dfa78f2b586a58e623fb83bdb999aa
                                                                                                                                                                                  • Instruction ID: 70ac6f68448c7e5dd1ff0120eb04f576f01f05a0cf31d6cbdb9fed47d45117c4
                                                                                                                                                                                  • Opcode Fuzzy Hash: d8023a19385abdfc580d5b95f63bdec096dfa78f2b586a58e623fb83bdb999aa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83F0F671600215AED7705FBCDA287CD37606F01328F509835E014DAB90EB7C86859BD0
                                                                                                                                                                                  Function 6C858E9F Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 6C858EA6
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000004,6C858BA2), ref: 6C858ED0
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00000004,6C858BA2), ref: 6C858EE4
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCR100(?), ref: 6C858F14
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseHandle$??3@H_prolog3
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 236738836-0
                                                                                                                                                                                  • Opcode ID: 4d53956ade1bb5376e146d85cd45ee1b0fe6f60ec5f25bbd14391850d1bd55c5
                                                                                                                                                                                  • Instruction ID: 76a412f4ced2cb4c992f1abd29620f9878d256fd1369f91317acd2fbf38a3f14
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d53956ade1bb5376e146d85cd45ee1b0fe6f60ec5f25bbd14391850d1bd55c5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2EF03175A0170097D7709F78C68579672F4BF10219FA04C6DD0A99BB50DFB9E858C7A0
                                                                                                                                                                                  Function 6C82A934 Relevance: 6.0, APIs: 4, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _lock_file.MSVCR100(?,?,?,?,?,?,?,6C82A990,0000000C), ref: 6C82A961
                                                                                                                                                                                    • Part of subcall function 6C82A557: _lock.MSVCR100(?,?,?,6C876EA0,00000040,6C876ED8,0000000C,6C848676,00000000,?), ref: 6C82A584
                                                                                                                                                                                  • _fclose_nolock.MSVCR100(?,?,?,?,?,?,?,6C82A990,0000000C), ref: 6C82A96C
                                                                                                                                                                                    • Part of subcall function 6C82A8DF: __freebuf.LIBCMT ref: 6C82A903
                                                                                                                                                                                    • Part of subcall function 6C82A8DF: _fileno.MSVCR100(?,?,?), ref: 6C82A909
                                                                                                                                                                                    • Part of subcall function 6C82A8DF: _close.MSVCR100(00000000,?,?,?), ref: 6C82A90F
                                                                                                                                                                                    • Part of subcall function 6C82A9AC: _unlock_file.MSVCR100(?,6C82A981,?,?,?,?,?,?,6C82A990,0000000C), ref: 6C82A9AD
                                                                                                                                                                                  • _errno.MSVCR100(?,?,?,?,?,?,6C82A990,0000000C), ref: 6C848BC3
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(?,?,?,?,?,?,6C82A990,0000000C), ref: 6C848BCE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __freebuf_close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1403730806-0
                                                                                                                                                                                  • Opcode ID: f2c99713b9ad1f6747bae59b9c760e05eb90b7d7d5b98922f8a18de3a6301c6a
                                                                                                                                                                                  • Instruction ID: 0dbdb5df72c0730122deada1ecd62da177c9a4d7599e90cc5d2cc9a85d09f79f
                                                                                                                                                                                  • Opcode Fuzzy Hash: f2c99713b9ad1f6747bae59b9c760e05eb90b7d7d5b98922f8a18de3a6301c6a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6BF09670801719AED7309B7D8A087DE77A05F01338F218F259474A6AC0CB3C5585AFD9
                                                                                                                                                                                  Function 6C82CA89 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno$_invalid_parameter_noinfo_wfsopen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 972587971-0
                                                                                                                                                                                  • Opcode ID: 33518f1f829daef67386d686cdd8cb7bfa0aef1fa8333d9c5588fbc4d1558859
                                                                                                                                                                                  • Instruction ID: bdb0fd141d088c6d10091d6d03c1ea56c5535d19da361abce6e82dd02133daa1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 33518f1f829daef67386d686cdd8cb7bfa0aef1fa8333d9c5588fbc4d1558859
                                                                                                                                                                                  • Instruction Fuzzy Hash: D5E09B716402296BD7316E6C9D04AEA3B54AF45758F044C31F8549BB10EB75D884CBC0
                                                                                                                                                                                  Function 6C876E6B Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _errno.MSVCR100(6C876ED8,0000000C,6C848676,00000000,?), ref: 6C876E83
                                                                                                                                                                                  • _invalid_parameter_noinfo.MSVCR100(6C876ED8,0000000C,6C848676,00000000,?), ref: 6C876E8E
                                                                                                                                                                                    • Part of subcall function 6C89AEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6C86B84F,?,6C86C3D3,00000003,6C8474A4,6C82AA18,0000000C,6C8474F7,00000001,00000001), ref: 6C89AEB5
                                                                                                                                                                                  • _lock_file.MSVCR100(00000040,6C876ED8,0000000C,6C848676,00000000,?), ref: 6C876E9B
                                                                                                                                                                                  • _ungetc_nolock.MSVCR100(?,00000040,6C876ED8,0000000C,6C848676,00000000,?), ref: 6C876EAB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _errno_invalid_parameter_invalid_parameter_noinfo_lock_file_ungetc_nolock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3962069902-0
                                                                                                                                                                                  • Opcode ID: c39438411892e46deb716501d812cadd2d92437593b9704c5ce6e9b513925f91
                                                                                                                                                                                  • Instruction ID: 1d7395ceb3c390dcf9642c8ee19fea76c9e90368e1459436d8db009a629452cc
                                                                                                                                                                                  • Opcode Fuzzy Hash: c39438411892e46deb716501d812cadd2d92437593b9704c5ce6e9b513925f91
                                                                                                                                                                                  • Instruction Fuzzy Hash: B0F01272404209EEDB315FBCDA056DE3760AF0033CF208E75E424D9AE0EB7986899B65
                                                                                                                                                                                  Function 6C89CB44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMONLIBRARYCODE
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6C89CC30
                                                                                                                                                                                  • __DestructExceptionObject.MSVCR100(?,00000001), ref: 6C89CC42
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentDestructExceptionImageNonwritableObject
                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                  • API String ID: 574919218-1018135373
                                                                                                                                                                                  • Opcode ID: aca7d4cdb04cab68153e5e93a4f557c5e6229eed4f58f8e3a8d3c4ca979bcbb5
                                                                                                                                                                                  • Instruction ID: e466cdb4b6314ca35c2dac42f0f5eb02f62e95f669a17095a7ce07d6f8a5f4be
                                                                                                                                                                                  • Opcode Fuzzy Hash: aca7d4cdb04cab68153e5e93a4f557c5e6229eed4f58f8e3a8d3c4ca979bcbb5
                                                                                                                                                                                  • Instruction Fuzzy Hash: D85153346002059FCB24DF6DC594AAEB7B1FF89328F14896DEC669B792C731E940CB50
                                                                                                                                                                                  Function 6C85C644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • std::exception::exception.LIBCMT(6C85C69C), ref: 6C85C660
                                                                                                                                                                                  • _CxxThrowException.MSVCR100(00010000,6C8BFE78,6C85C69C), ref: 6C85C675
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278858727.000000006C811000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6C810000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278821802.000000006C810000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278927695.000000006C8C3000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278954164.000000006C8C5000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278976992.000000006C8C8000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_6c810000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionThrowstd::exception::exception
                                                                                                                                                                                  • String ID: version
                                                                                                                                                                                  • API String ID: 4279132481-3206337475
                                                                                                                                                                                  • Opcode ID: 4f87b47e26c6e0ca7a0bc4c21e2864af60fc45dc37a0740d3baa28a07b746065
                                                                                                                                                                                  • Instruction ID: 5c3fb79415fec9c619c0371db6e36b785849f03404276c4400eb0c3a1d072368
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f87b47e26c6e0ca7a0bc4c21e2864af60fc45dc37a0740d3baa28a07b746065
                                                                                                                                                                                  • Instruction Fuzzy Hash: A1F0827540010CBACBA0EF44C651BCD7BA4AB08344F90D829F81957951D7B09B9CCFC1
                                                                                                                                                                                  Function 00EE1950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16serviceCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00EE1966
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service manager), ref: 00EE1977
                                                                                                                                                                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00EE1994
                                                                                                                                                                                  • mprError.LIBMPR(Cannot open service), ref: 00EE19A5
                                                                                                                                                                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00EE19AE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Cannot open service manager, xrefs: 00EE1972
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000002.2278289064.0000000000EE1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00EE0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000010.00000002.2278270038.0000000000EE0000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278324645.0000000000EE4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000010.00000002.2278355928.0000000000EE7000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_2_ee0000_RDMAppman.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorOpenService$CloseHandleManager
                                                                                                                                                                                  • String ID: Cannot open service manager
                                                                                                                                                                                  • API String ID: 261947648-2588921198
                                                                                                                                                                                  • Opcode ID: 7884d110cc24e72e8ee2e0c905e750d96fa5b48a7dbe7d27ea2f4be276cd7ad1
                                                                                                                                                                                  • Instruction ID: cf35da1f63e7c60ce0a2632a628501bc41c0519d17d579b732bb3b102b9b7483
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7884d110cc24e72e8ee2e0c905e750d96fa5b48a7dbe7d27ea2f4be276cd7ad1
                                                                                                                                                                                  • Instruction Fuzzy Hash: ECD0A7B1280388ABD651A796BC0AF16336097D1750F0010A0F6043B2D6DAB0C1488111